Security & Trust

1. Our Security Commitment

Avi Technologies designs FleetForge with defense in depth — multiple layers of protection so a failure at any one layer does not compromise client data. We are committed to:

• Encrypting data at rest and in transit
• Principle of least privilege for both staff and code
• Auditable record of every state-changing action
• Transparent communication when something goes wrong
• Continuous improvement through internal review and external testing

2. Infrastructure Security

• Hosted on Amazon Web Services with primary region in Canada (ca-central-1) and disaster recovery infrastructure in the United States
• Encryption at rest — AES-256 for databases (RDS), file storage (S3), and backups
• Encryption in transit — TLS 1.2 minimum, modern cipher suites only, HSTS enforced
• Network isolation — VPCs, security groups, and least-privilege IAM policies; production database is not directly accessible from the public internet
• Automated backups — daily full backups with 30-day retention; point-in-time recovery available for the last 7 days
• Disaster recovery — RPO ≤ 24 hours, RTO ≤ 8 hours; recovery procedures tested at least annually
• Uptime commitment — 99.5% monthly SLA

3. Application Security

• Authentication — passwords hashed with bcrypt (cost factor 12); never stored in plain text or reversibly encrypted
• Session management — secure, HttpOnly, SameSite=Lax cookies; session regenerated on login and privilege change
• CSRF protection — token validated on every state-changing request
• Input validation — server-side validation on every endpoint; allow-lists where the value space is bounded
• Output escaping — context-appropriate escaping (HTML, attribute, JS, URL) to prevent XSS
• SQL injection prevention — exclusively parameterized queries via PDO; no string concatenation of user input into SQL
• Rate limiting — login attempts and API endpoints rate-limited per IP and per user
• Account lockout — automatic 15-minute lockout after 5 failed login attempts within 15 minutes
• File uploads — MIME type detected server-side (never trusting client headers); allowed types restricted; uploaded files served via signed URLs only
• Content Security Policy — strict CSP with no inline scripts, no unsafe-eval, vendor assets self-hosted
• Dependency management — Composer + npm dependencies scanned for known vulnerabilities on every build; security advisories tracked

4. Access Controls

• Role-based access control — five built-in roles (Developer, Manager, Dispatcher, Accountant, Read-only) plus per-user permission overrides
• Audit logging — every create / update / delete recorded in an immutable audit log with user, IP, user-agent, and timestamp
• Admin-only account creation — no public self-registration; new users join only by invitation from an existing admin
• Multi-factor authentication — TOTP-based MFA supported; required-for-role policy enforceable per Client
• Session timeout — idle sessions expire after 8 hours by default; configurable per Client
• Internal access — Avi Technologies staff access production data only on a need-to-know basis, with all access logged and reviewed

5. Data Security

• Tenant isolation — each Client's data is logically isolated at the database row level with foreign-key constraints; queries always scoped to the current Client
• GPS & telematics data — encrypted at rest, retained for 90 days hot + up to 1 year archived, never sold
• Financial data — encrypted at rest; tax data retained per CRA requirements (7 years)
• PII handling — minimum necessary for service operation; see the Privacy Policy for full details
• Data deletion — upon Subscription termination, data is deleted or anonymized within 90 days (subject to legal retention)

6. Responsible Disclosure

We welcome reports from security researchers and any user who identifies a vulnerability in FleetForge. Please report responsibly:

Email: security@avitechnologies.ca

We commit to:

• Acknowledge your report within 48 hours
• Investigate promptly and keep you informed of progress
• Not pursue legal action against good-faith security researchers who:
  • Do not access client data beyond what is necessary to demonstrate the vulnerability
  • Do not perform denial-of-service attacks or destructive testing
  • Do not use social engineering against Avi Technologies staff or its customers
  • Give us a reasonable opportunity to remediate before public disclosure
• Credit researchers in our security acknowledgements (if requested)

We do not currently operate a paid bug bounty program but appreciate every report.

7. Incident Response

• Initial assessment within 4 hours of detection
• Containment as the first priority — affected systems isolated, credentials rotated
• Client notification within 72 hours where personal data is affected, per PIPEDA obligations
• Root cause analysis conducted after the incident is resolved
• Post-incident report available to affected Clients on request
• Regulatory notification handled per PIPEDA, BC PIPA, and applicable foreign law

8. Compliance

FleetForge is designed to support our Clients' compliance with:

• PIPEDA — Personal Information Protection and Electronic Documents Act (Canada)
• BC PIPA — Personal Information Protection Act (British Columbia)
• CASL — Canada's Anti-Spam Legislation (transactional emails are permitted; commercial messaging requires Client-side consent management)
• Canadian transportation regulations — record retention for commercial fleet operations
• GDPR — for Clients processing personal data of EU residents, supported via the Data Processing Agreement and SCCs as applicable
• CRA invoice requirements — sequential numbering, GST/HST disclosure, 7-year retention

9. Third-Party Security

We rely on infrastructure providers that maintain industry-standard certifications:

• Amazon Web Services — ISO 27001, SOC 1, SOC 2 Type II, SOC 3, PCI DSS Level 1, FedRAMP. AWS Compliance →
• Samsara (optional telematics integration) — ISO 27001, SOC 2 Type II
• Anthropic (optional AI features) — SOC 2 Type II, zero-retention enterprise terms

Application dependencies are self-hosted within FleetForge (no runtime CDN dependencies for fonts, scripts, or styles) to minimize third-party attack surface.

10. Questions

Security questions, compliance documentation requests, or vulnerability reports: security@avitechnologies.ca

For SOC 2 reports, penetration test summaries, or other security artefacts under NDA, please contact security@avitechnologies.ca and reference your account.