Shipmater

Trust & Security

Platform Compliance

Shipmater is built on a compliance-first foundation. Every layer — from carrier verification to payment handling to data storage — is designed to meet regulatory requirements and protect every party on the platform.

SOC 2 Type IIIn Progress
HIPAA AlignedActive
PCI DSS (via Stripe)Active
GDPRActive
CCPAActive
FMCSA CompliantActive

Data Encryption

  • All data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Sanctum-issued Bearer tokens for API authentication
  • Passwords hashed using bcrypt with a minimum cost factor of 12
  • No plain-text credentials stored anywhere in the system

Carrier Screening

  • DOT number and MC authority verified against FMCSA records
  • Certificate of insurance required and expiry-tracked
  • Background check status tracked per driver
  • Service type–specific certification requirements enforced

Regulatory Compliance

  • HIPAA-aligned handling for medical shipment data
  • FMCSA cargo securement rules applied to all freight jobs
  • DOT drug and alcohol testing compliance tracked per carrier
  • Hazmat shipments require HAZMAT-endorsed carriers only

Data Privacy

  • CCPA and GDPR-aligned data handling practices
  • Users can request data export or deletion at any time
  • Third-party data sharing limited to payment processing and verification
  • Audit logs retained for all shipment and financial actions

Infrastructure Security

  • Hosted on Railway with isolated container environments
  • Automated daily database backups with point-in-time recovery
  • Health monitoring and automatic restart on service failure
  • Production credentials managed via environment variables — never in code

Incident Response

  • Breach notification within 72 hours per GDPR Article 33
  • Dedicated incident response process with documented runbooks
  • Automated anomaly detection on authentication and payment flows
  • Dispute resolution team available for shipment conflicts

Continuous Compliance

Compliance is not a one-time audit. Shipmater runs automated certificate expiry tracking, continuous carrier status monitoring, and quarterly internal reviews against FMCSA, HIPAA, and data protection frameworks. Carriers who fall out of compliance are flagged and suspended from receiving jobs until resolved.

Questions about compliance?

Our trust and safety team is available to answer specific regulatory or security questions.

Service provider requirements Get started