QED Trucking← Back home

Legal

Security

Last updated: 20 April 2026

QED Trucking handles compliance-grade fleet data: walkaround checks that DVSA may ask to see, signed PODs, per-job profit numbers. The platform is designed to protect that data end-to-end.

Infrastructure

  • Application hosting on Vercel (London region) — automatic TLS, DDoS protection, SOC 2 Type II.
  • Database on Supabase (Dublin region) — Postgres with daily backups and point-in-time recovery, SOC 2 Type II.
  • File storage in private Supabase buckets. Every photo, signature and document is served only through short-lived signed URLs; no content is public.
  • All traffic is HTTPS. HSTS is enabled. Strict security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) set at the edge.

Multi-tenant isolation

Every table that stores fleet data has an org_id column. Postgres row-level security policies enforce that a user can only read rows matching their own org. No data crosses organisational boundaries — this is database-enforced, not just UI-enforced.

Authentication

  • Operators sign in with email + password or phone + PIN. Passwords are hashed with bcrypt by Supabase Auth.
  • Driver PINs are hashed with bcrypt and protected by a progressive cooldown after consecutive failed attempts.
  • Sessions use httpOnly, Secure, SameSite cookies. Service role keys never reach the browser.

AI and third-party processing

Voice transcription and photo parsing go through Anthropic. Our agreement disallows use of your data for training. WhatsApp messaging goes through Twilio's WhatsApp Business API; message content is retained by Twilio only for their standard delivery windows.

Monitoring

Runtime errors flow to Sentry with PII scrubbing. Product analytics use PostHog with pseudonymised identifiers. Security events (repeated PIN failures, auth anomalies) are alerted in near real time.

Incident response

If we discover a security incident that affects your data, we will notify the account owner within 72 hours with what happened, what was affected, and what we're doing about it — ahead of any legal deadline.

Reporting a vulnerability

Found something? Please email help@qedtrucking.co.uk. We aim to acknowledge within 48 hours. No bounty yet, but we will credit responsible disclosures in this page with your permission.

Questions?

Email help@qedtrucking.co.uk or use the contact form. This document is a plain-language summary of our current practice and will be superseded by the final policy once our solicitor reviews it.