01
Scope
Security overview
This page describes the security posture of the TruckZen Service at a high level. It is not a certification statement and does not claim third-party audit certifications or guarantees.
02
Controls
Access
- Role-based access. Application features are gated by roles. Users only see the surfaces their role allows.
- Shop and tenant scoping. Data is scoped to the shop or tenant a user belongs to. Cross-shop reads from a non-administrator account are not permitted by the API surface.
- Authentication. Sign-in flows include password reset, two-factor authentication, failed-attempt visibility, and IP throttling for repeat failures.
03
Traceability
Audit and accountability
- Sensitive administrative actions are recorded in internal activity logs where applicable so a shop owner or platform owner can review what changed.
- Policy acceptance for Terms, Privacy, and related required policies is recorded server-side per user.
- Security diagnostics avoid raw credentials, authorization headers, request bodies, API keys, tokens, and full URLs.
04
Recovery
Backups and retention
- The database is backed up on a regular schedule. Backups have a bounded retention window and are monitored for completion and failure.
- Soft-deleted records have a finite Trash window; rows older than the configured window are eligible for hard deletion.
- See the Privacy Policy for the broader retention framework.
05
Runtime
Operational monitoring
- The AWS production runtime uses AWS operational logs and alarms for service diagnostics.
- Sentry diagnostics are sanitized, and optional diagnostics are user-controllable from the Cookie Preferences Center.
- Public error pages show an opaque incident identifier instead of raw exception detail.
06
Contact
Reporting a concern
If you believe you found a vulnerability, account compromise, or data-handling issue, email support@truckzen.pro. Include what you observed, when it happened, and the smallest set of reproduction steps. Do not include third-party data you do not own.