Private / Applications · DOC · SEC-01Rev. 2026.04 · Public

Your data/
stays yours.

§ 01

Three commitments.

Everything that follows — the architecture, the controls, the paperwork — is us honoring these three statements. If we ever break one, the entire relationship is on the table.

01 / Ownership

You own your data.
We are stewards, not proprietors.

Every bit of operational data you send us remains your property — contractually, legally, and architecturally. On termination we return or destroy it, your choice, on your timeline.

02 / Residence

Your data does not leave
your jurisdiction.

US carrier data stays in US regions. Canadian carrier data stays in Canadian regions. No cross-border replication, no “eventual consistency” through a foreign zone, no telemetry sent off-continent.

03 / Training

Your data never trains
a general model.

Models trained on your operational data are trained for you, deployed to your tenant, and never re-used for another customer. Foundation-model calls go through a zero-retention contract.

SOC 2 Type IIAudited
NIST SP 800-53Aligned · Rev 5
ISO 27001In progress · Q3
Data residencyUS · CA sovereign
Cloud postureFedRAMP-baseline
Penetration testsAnnual · 3rd party
§ 02

The boundary.

How a request moves through our system — and where the fence between your network and ours actually sits. Single-tenant where it matters, isolated everywhere else.

01 //Your network
Dispatch, geometry-car uploads, maintenance systems, GIS, crew calling. Never leaves your perimeter without policy.
YOUR SIDE
02 //Integration gateway
Deployed into your VPC or on-prem. Reads what your policy allows, nothing more. Outbound-only, mutually-authenticated to a single published endpoint.
YOUR SIDE
BOUNDARY · mTLS · IP-allowlisted · WAF · per-tenant keys
03 //Tenant ingress
Terminates in a per-carrier tenant. No shared ingress path, no shared queue, no shared service identity.
OUR SIDE
04 //Single-tenant data plane
Your database, your object store, your key ring — all physically separate from every other customer. Encryption keys never cross tenant boundaries.
OUR SIDE
05 //Compute · scoped
AI workloads run in a per-tenant enclave. Foundation-model calls are zero-retention and content-logged on your side, not ours.
OUR SIDE
06 //Air-gapped option
For carriers under federal obligation, the entire stack deploys into your VPC or on-prem. No data ever reaches our cloud. Same product, same releases, updated by signed artifact.
YOUR SIDE
§ 03

Controls.

The day-to-day mechanics — encryption, access, logging, supply chain. These are the line items a CISO expects to see, with the specific choices we've made.

01 · EncryptionAES-256 · TLS 1.3

At rest and in flight — every hop.

Envelope encryption with per-tenant KMS keys you control. Bring-your-own-key supported; customer-controlled revocation cuts access in seconds, not hours.

Ref: NIST SP 800-57 · FIPS 140-3
02 · IdentitySAML · SCIM · WebAuthn

Your IdP is the only way in.

No standalone accounts. SSO through your identity provider, provisioning through SCIM, MFA enforced via hardware keys or FIDO2. Service accounts are short-lived and scoped.

Ref: NIST SP 800-63B · AAL3
03 · AuthorizationZero-trust · RBAC + ABAC

Least privilege, continuously re-checked.

Every request carries its own authorization context. No ambient network trust. Attribute-based policies enforced at the data layer — not bolted on at the API.

Ref: NIST SP 800-207
04 · AuditImmutable · tenant-exportable

Every action is logged.

Who did what, when, from where, against which record. Logs are append-only, timestamped, signed, and streamed to your SIEM in real time. We cannot redact them after the fact.

Ref: NIST SP 800-92
05 · SecretsHSM-backed · no broker

Secrets never sit on disk.

Credentials and signing keys live in an HSM-backed vault with short-leased access tokens. No engineer — including our founders — can read a production secret in clear text.

Ref: FIPS 140-3 Level 3
06 · Supply chainSBOM · SLSA-3

Every dependency, named and signed.

Reproducible builds. Signed artifacts with provenance. CVE scanning gates every release. A software bill of materials goes with every deployment — on request, to you, monthly.

Ref: NIST SSDF · CISA guidance
07 · PatchingSLA: 7d critical · 30d high

CVEs are operational work.

Critical vulnerabilities patched within seven days of disclosure; high within thirty. Emergency hotfix path tested quarterly. Zero-day response documented and rehearsed.

Ref: CVSS v4.0
08 · Red-teamingAnnual + on major release

We hire people to break us.

Independent third-party penetration testing annually, and on any architecture-scale change. Findings, remediation, and a letter of attestation are shared with any customer on request.

Ref: PTES · OWASP ASVS L2+
09 · BackupRPO 15m · RTO 4h

Recoverable under adversarial conditions.

Point-in-time recovery with immutable, offline-capable backups — including ransomware-resistant copies outside the primary blast radius. DR drills twice a year, scored.

Ref: NIST SP 800-34
§ 04

What we touch. What we don't.

A plain classification of operational data categories — where they live, who can access them, and (important) what we deliberately refuse to ingest at all.

ClassExamplesResidenceAccess
OPS · Rt-TELEMSensor feeds, track geometry, inspection uploads, slow orders, defect registersYour tenant onlyYour SSO
OPS · HISTORYHistorical KPIs, morning-report archives, compliance recordsYour tenant onlyYour SSO
META · SCHEMATable definitions, column names, data-dictionary docsYour tenant · backup in regionYour SSO
DERIVED · MODELModel weights trained on your dataYour tenant onlyYour SSO
SUPPORT · LOGSApplication logs (redacted) for support ticketsIn-region · 90d retentionNamed engineers · audit-trailed
REFUSEDEmployee PII beyond work-role · Customer-of-carrier PII · Payment data · Classified freight manifestsNot ingested— · —

If a data source we're asked to integrate carries categories we refuse, we design the integration to leave them behind at your perimeter. This is a design constraint, not a promise we make after the fact.

§ 05

Who can see what.

Everyone on our side of the fence is vetted, scoped, and time-boxed. Even with a ticket in hand, no engineer can casually open your data — and when they can, you see it.

01 · Our people

Background-checked, contractually bound.

Every PRIVATE/APP employee passes a criminal-records check and signs an operational-data confidentiality covenant on day one. Annual security-awareness training, tracked. Offboarding de-provisions access within four hours.

  • Criminal records checkRequired
  • Operational data NDARequired
  • Annual trainingTracked
  • Offboarding SLA< 4 h
  • Citizenship req (fed work)On request
02 · Customer data access

Break-glass only, never standing access.

No engineer has persistent read access to your production data. Access is requested through a ticketed break-glass workflow, auto-expires in hours, and is streamed live to your SIEM before a single record is read.

  • Standing prod accessNone
  • Break-glass TTL< 4 h
  • Customer approvalOn request
  • Session recordingAll
  • Live-streamed auditYes
§ 06

Paperwork we'll sign.

The agreements that turn our promises into enforceable terms. If you need one we don't list, ask — most of these started as a customer-driven ask.

01 · DPA

Data Processing Agreement.

You are the controller. We are the processor. Purpose limitation, sub-processor register, deletion timelines — all named. Reviewed annually.

Available on request
02 · BAA

Business Associate & information-security addenda.

Standardized security addenda (CISA, NIST, AAR-aligned) available pre-executed. Carrier-specific addenda negotiated in days, not quarters.

Pre-executed templates
03 · DORA

Notification & incident-disclosure terms.

Material-incident notice within 24 hours of confirmed impact; regulatory-grade disclosure package within 72 hours. Notification is a contractual obligation, not a courtesy.

Contractual · 24 h / 72 h
04 · AUDIT

Right-to-audit.

You, or your designated third-party auditor, may audit our controls with reasonable notice. We maintain pre-packaged evidence for the common frameworks so audits take days, not weeks.

Annual · reasonable notice
05 · EXIT

Exit & reversibility.

On termination: full export of your data in its native schemas, plus model weights trained on it, within 30 days. Destruction certificate within 60. No dark-copy retention — we write that in.

30 d export · 60 d destroy
§ 07

If something goes wrong.

A published incident runbook — the five phases, with named timeframes. You find out before a journalist does. That is the entire design goal.

T + 0
Detect
Signal from SIEM, runtime anomaly detector, or external disclosure. On-call engineer paged within 5 minutes.
T + 1 h
Contain
Affected tenants isolated. Credentials rotated. Blast radius documented. A written status goes on your tenant page.
T + 24 h
Notify
Named security contact at each affected customer receives a written material-incident notice — phone, email, signed.
T + 72 h
Disclose
Regulatory-grade disclosure package: scope, root-cause hypothesis, data exposure assessment, IOCs, remediation plan.
T + 30 d
Post-mortem
Published, blameless post-mortem, circulated to every affected customer. Control changes tracked and executed.
§ 08

Direct questions.

The questions every rail CISO asks in the first meeting — answered plainly, in the room.

Does our operational data train your models?
No. Any model trained on your data is your tenant’s model, serving your tenant only. Foundation-model calls (for narrow, scoped agents) go through zero-retention enterprise contracts — the provider cannot log, cache, or train on the request. You get a written attestation of this per integration.
Can you run entirely inside our network?
Yes. The on-prem / VPC-resident deployment ships the same product as a signed, reproducible artifact into infrastructure you control. No data leaves your perimeter. Releases are distributed on a cadence you set. We support air-gapped update paths for carriers under federal obligation.
What happens if a foreign adversary subpoenas our data from your cloud?
US carrier data lives only in US regions; Canadian carrier data lives only in Canadian regions. We do not replicate across borders. If a lawful process is served against us, you are notified to the maximum extent the law allows, and we will not voluntarily waive notification. Data encrypted with a customer-held key cannot be produced without your participation.
Who owns the models and pipelines built on our engagement?
You do. Any derived asset — pipelines, ETL code, model weights, prompt libraries, evaluation sets — is delivered to you under an unrestricted license to use, modify, and take with you if we part ways. We retain the right to use generic engineering learnings, not any asset coupled to your data.
How do we audit you?
Annual right-to-audit is written into every contract. We maintain a pre-packaged evidence room — SOC 2 report, pen-test letters, SBOMs, policy library — that supports most audits in days. For deeper audits, we host your team (or your chosen third party) on-site or via secured remote session.
What is the smallest blast radius a compromise can have?
Single customer. Because data planes, keys, and compute are per-tenant, a compromise at our infrastructure layer (say, a supply-chain breach of a shared build system) does not grant cross-tenant data access — keys are per-tenant, issued from per-tenant HSMs. Cross-tenant movement requires independently compromising each tenant’s customer-held keys, which we don’t possess.
Do you carry cyber insurance?
Yes — commercial cyber-liability and technology-E&O coverage, with named-insured endorsements available on contract. Certificates of insurance provided on request. Coverage limits scale with the engagement profile.