Security
Security at DropHaul
We understand that you trust us with your business data, and we take that responsibility seriously. This page outlines the security measures we have in place to protect your information.
1. Data Encryption
All data transmitted between your devices and DropHaul is encrypted using TLS 1.2 or higher, ensuring that your information cannot be intercepted in transit. Data stored on our servers is encrypted at rest using AES-256 encryption, the same standard used by financial institutions and government agencies.
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- HTTPS enforced on all endpoints — no unencrypted connections
2. Infrastructure
DropHaul runs on Convex, a SOC 2 Type II compliant cloud platform. We do not operate self-managed servers, which eliminates an entire class of infrastructure security risks. Our backend benefits from Convex's enterprise-grade security posture, including:
- SOC 2 Type II certified infrastructure
- Automatic scaling with no shared tenancy risks
- Continuous backups and point-in-time recovery
- DDoS protection and rate limiting at the platform level
3. Authentication
User authentication is handled by WorkOS AuthKit, an enterprise-grade identity platform. DropHaul never stores or processes passwords directly. Our authentication architecture includes:
- Hosted authentication pages — credentials never touch our servers
- JWT-based session management with short-lived tokens
- Role-based access control (RBAC) with organization-scoped permissions
- Complete data isolation between organizations — no cross-tenant data access
4. Payment Security
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment card industry. DropHaul never stores, processes, or has access to raw credit card numbers or payment credentials.
- PCI DSS Level 1 compliance via Stripe
- Webhook signature verification for all payment events
- No raw card data ever touches our servers
5. Credential Security
When you connect third-party integrations — like Motive, Samsara, or QuickBooks — your API keys and credentials are protected by WorkOS Vault, an enterprise-grade secrets manager with hardware-backed encryption. DropHaul never stores raw credentials in our database.
- Encrypted on entry: Keys are encrypted the moment you submit them and stored in a secure vault — decrypted only when actively syncing your data
- Zero-knowledge storage: Not even the DropHaul team can view your credentials — they are protected by a system that keeps them hidden from everyone, including us
- No trace left behind: Credentials are transmitted through a private channel and never written to logs, error reports, or debug files
- Tenant isolation: Every company gets its own private encrypted space — no other organization on DropHaul can access your credentials
- Instant deletion: When you disconnect an integration, your credentials are permanently erased from the vault immediately — nothing is retained
6. Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to us so we can address it promptly.
Report vulnerabilities to: security@drophaul.app
We commit to acknowledging receipt within 72 hours and will work with you to understand and address the issue. We ask that you give us reasonable time to investigate and remediate before public disclosure.
7. Data Retention & Deletion
DropHaul provides self-service account deletion directly within the app. When you delete your account, your personal data (profile, gamification records, notifications) is removed immediately. Organization-owned business records (service records, messages, activity logs) are retained as they belong to the organization.
- Self-service deletion: Available in Settings on both mobile and web
- Manual requests: Email privacy@drophaul.app — processed within 30 days
- Authentication cleanup: User records are also removed from our identity provider (WorkOS)