Security | FreightBid

Infrastructure Security

Hosting, encryption, and data center posture

R

Render

Application hosting · SOC 2 Type II

N

Neon

PostgreSQL database · SOC 2 Type II

Encryption at rest — all database data encrypted with AES-256 by our database provider (Neon). Application files and logs encrypted at rest on Render's infrastructure.
Encryption in transit — all connections use TLS 1.2 or higher. Plain HTTP is redirected to HTTPS.
US-based data centers — all data stored and processed within the United States.
SOC 2 attested infrastructure — both Render and Neon maintain SOC 2 Type II attestation. FreightBid itself has not yet undergone SOC 2 audit (see roadmap below).

A note on SOC 2: Our infrastructure providers (Render and Neon) are SOC 2 Type II attested. This means the underlying hosting and database services meet independent security standards. FreightBid as a product has not yet completed its own SOC 2 audit — that's on our roadmap. We believe in stating this clearly rather than implying inherited attestation.

Data Handling

What we do (and don't do) with your freight data

Your data is yours. RFQ data, bid history, lane pricing, and broker communications are stored in your account and not accessible to other shippers.
No data selling or sharing. We do not sell, rent, or share your freight data with third parties.
No AI training on customer data. Your data is not used to train AI or machine learning models — ours or anyone else's.
Broker access is scoped. Brokers receive single-use email links to submit quotes on specific RFQs. They cannot browse your lane history, other RFQs, or account details.
Email opt-out honored. All bulk email respects CAN-SPAM opt-out. Unsubscribes are permanent and recorded in our database.

Access Controls

Authentication and authorization in the application

Email-verified accounts. New accounts require email verification before access is granted.
Passwords hashed with bcrypt. Passwords are never stored in plaintext. We use bcrypt with a work factor of 12 — the stored hash is computationally expensive to reverse.
JWT-based session tokens. Authenticated sessions use signed JSON Web Tokens. Tokens are validated server-side on every API request.
Parameterized queries. All database queries use parameterized statements, preventing SQL injection attacks.
Admin audit log. Destructive admin actions (account deletions, data modifications) are recorded in an audit log with actor, timestamp, and affected record.
Password reset security. Reset tokens are single-use, time-limited (expire after a short window), and invalidated after use.

Responsible Disclosure

Found a vulnerability? We want to know.

If you discover a security vulnerability in FreightBid, please report it to us directly. We take all reports seriously and will respond within 48 hours. We do not pursue legal action against researchers reporting in good faith.

security@freightbid.io

Security Roadmap

What we're building next — in plain terms

Early-stage software has honest gaps. Here's what we haven't built yet and intend to.

SOC 2 Type II attestation Planned Independent audit of our security controls, data handling, and access procedures.
Multi-factor authentication Planned TOTP authenticator app support for shipper accounts. MFA is not currently available.
Comprehensive activity logs Planned Full per-user audit trail: logins, RFQ actions, data exports, broker communications — accessible directly from the dashboard.
GDPR compliance and data deletion workflows Planned Self-serve data export and account deletion. Currently requires a manual request to our team.
Role-based access control Planned Distinct permission levels within a shipper organization — view-only, shipper, admin.

How we protect your data