Security & compliance

Documented controls. Honest qualifiers.

FleetCommand serves regulated, high-stakes operations. This page is the honest version of our security posture — what we run today, what we're still implementing, and where we'd sit in your enterprise procurement review. Procurement teams: skip the marketing — go straight to the matrix.

No. 01

Compliance posture

We use precise language. Aligned means the controls are implemented and documented but the formal audit hasn't completed. Audit-ready means we're prepared to produce evidence on request. Certified will appear here only when we hold a current attestation.

ISO 27001:2022

Audit-ready · controls implemented · 2026 Q4 attestation target

SOC 2 Type II

Implementation in progress · Type I report 2026 Q3 target

GDPR (EU)

Aligned · DSAR portal live · 30-day fulfillment SLA

CCPA / CPRA (US)

Aligned · consumer rights flow live

OWASP Top 10 (2021)

Mitigations covered · annual third-party pentest planned

PCI-DSS

Out of scope — we don't store cardholder data

HIPAA

Out of scope — not a healthcare workload

No. 02

Encryption

In transit

TLS 1.3 enforced · HSTS preload · perfect forward secrecy

At rest

AES-256 · AWS KMS-managed keys · automated rotation

Database

RDS Postgres 16 · encryption-at-rest · automated daily snapshots

Backups

S3 server-side encryption · cross-region replication for prod

Mobile

Driver app uses platform secure storage (EncryptedSharedPreferences / iOS Keychain)

No. 03

Identity & access

Authentication

JWT access tokens · refresh tokens · short TTLs

MFA

TOTP available · enforced on admin and finance roles

RBAC

Role-based permissions to bay-clerk granularity

Tenant isolation

Row-level organisationId scoping enforced in service layer

API access

Dual auth: JWT (interactive) + API keys (machine-to-machine)

Audit logs

Authentication events, permission changes, admin actions logged

No. 04

Infrastructure

Hosting

AWS · eu-west-1 (Ireland) · production

Compute

ECS Fargate · isolated task IAM roles · no shared SSH

Network

VPC · security-group ingress restriction · TLS-only public surface

Secrets

AWS Secrets Manager · no plaintext secrets in container envs (in progress)

Logging

CloudWatch · structured JSON · retention policies enforced

DDoS / WAF

CloudFront edge · AWS WAF rule set planned 2026 Q3

No. 05

Application security

SSDLC

Code review on every change · type checks and linting in CI

Dependencies

Automated SCA · monthly review · critical CVE patches < 7 days

Webhooks

Per-tenant signing secret · HMAC-SHA256 timing-safe verification

Rate limiting

Per-IP and per-tenant on auth and lead endpoints

Input validation

Strict schema on every API surface · honeypots on public forms

Browser hardening

HSTS, CSP, X-Frame-Options DENY, Referrer-Policy strict-origin

No. 06

Privacy & data handling

Data minimisation

Only data needed for ops is collected — driver-photo PII protected

Retention

Per-tenant retention policy · POD evidence kept ≥ 36 months by default

Subject access

Self-service export and erasure flows · 30-day SLA

Data residency

Default region: eu-west-1. Other regions available on Enterprise.

Sub-processors

AWS · Mix Telematics · published list available on request

No. 07

Incident response & disclosure

If you believe you've found a vulnerability, please report it to security@fixplum.co (PGP available on request). We commit to acknowledging within 2 business days and to coordinated disclosure on a 90-day timeline.

Severity classification

CVSS 3.1 · internal triage within 24h

Customer notification

Material incidents notified within 72h

Post-mortems

Published privately to affected tenants · root cause + remediation

Bug bounty

Private programme — invite available for security researchers

Need our procurement pack?

We share an architecture diagram, sub-processor list, encryption keys lifecycle, and answers to the standard CAIQ questions on request.

Request the pack