Security & Compliance

Your freight data is yours.
Full stop.

Freight invoices and carrier rates are commercially sensitive. This page explains exactly how we protect your data, what we do and don't do with it, and how to reach us with questions.

✓ TLS 1.2+ in transit ✓ AES-256 at rest ✓ EU or US data region ✓ GDPR-aligned ✓ Zero data resale ✓ No AI training on your data ⚙ SOC 2 — in progress ⚙ ISO 27001 — in progress

How we protect your data

Every layer of the stack is hardened for sensitive freight finance data.

Transit encryption TLS 1.2+ All connections between your browser and our servers use modern TLS — the same standard as online banking.
Data at rest AES-256 Invoices, shipment data, and rate tables are stored on AES-256 encrypted disks. Keys are managed by our infrastructure provider (Supabase / AWS).
Data residency EU or US — chosen at onboarding You choose your data region — EU or US — when you onboard. Each organisation's data is hosted entirely within its region (EU: AWS eu-central-1, Frankfurt) and never crosses regions. Have a specific residency requirement? Talk to us →
Tenant isolation Row-Level Security Enforced at the database layer using Postgres Row-Level Security. Your organisation's records are mathematically separated — not just filtered at the application layer.
Access control Role-based (member / admin / superadmin) Every write operation is validated server-side. Admin and superadmin roles are enforced by SECURITY DEFINER database functions, not application code.
Authentication OTP / email-based No passwords stored by default. Login is via 6-digit one-time code sent to your email. Password reset links expire after one use.

What we do not do with your data

These are contractual commitments, not just policy statements.

We do not sell your freight data

Your invoice values, carrier rates, shipment volumes, and routing data are never sold, licensed, or shared with carriers, freight brokers, market intelligence firms, or any other third party.

We do not use your data to train AI models

Your invoice and shipment data is never used to train machine learning models — ours or anyone else's. Anthropic's API terms contractually prohibit training on customer data; inputs and outputs are retained on Anthropic's systems for up to 30 days for trust-and-safety monitoring, then auto-deleted. Every AI call carries a versioned policy marker and a system-level data-protection prompt. We are pursuing a Zero Data Retention (ZDR) agreement to eliminate the retention window entirely. Full AI governance policy →

Every AI call is logged and auditable

We maintain a per-call AI audit log recording which function processed your data, which model was used, token volumes, latency, and purpose — for every invoice extraction and enrichment call. Administrators can review this log under Settings > Privacy. This supports your GDPR Art. 30 records-of-processing obligations.

We do not store payment card data

All payment processing is handled by Stripe. We never see, store, or log credit card numbers or bank account details.

No tracking or analytics inside the app

Google Analytics runs only on our public marketing pages (oracron.app). Once you log in to the platform, no third-party analytics scripts run on any page.

Regulatory compliance

We are built for European enterprise customers and their compliance requirements.

GDPR (EU 2016/679)

Full compliance. EU or US data storage (your choice). Data Processing Agreement available on request. Contact: privacy@oracron.app

SOC 2 Type II

Certification in progress. We are currently undergoing a SOC 2 Type II audit. Estimated completion: Q4 2026. Contact us to discuss timeline.

ISO 27001

Certification roadmap in place. ISO 27001 compliance programme underway. Expected certification: 2027. Ask us for our ISMS documentation.

Data retention & deletion

You can delete your organisation's data at any time. On account closure, all data is purged within 30 days. Configurable per-organisation retention policies available on Enterprise plans.

Infrastructure

We build on enterprise-grade infrastructure so you don't have to trust our word alone.

Database: Supabase (Postgres on AWS eu-central-1). Supabase is SOC 2 Type 2 certified.
Edge functions: Deno Deploy. Serverless compute runs in your organisation's region (EU by default).
Email delivery: Resend (EU data region). Used for transactional emails only. No marketing to your users without consent.
AI processing: Invoice extraction uses Anthropic's Claude API. Anthropic does not use customer data to train models under their standard API terms; inputs and outputs are retained on Anthropic's systems for up to 30 days for trust-and-safety monitoring before auto-deletion. Every API call carries a versioned X-Oracron-Policy header and a mandatory data-protection system prompt. Each call is recorded in our AI audit log with token counts, latency, and purpose — accessible to administrators under Settings > Privacy. We are evaluating a Zero Data Retention (ZDR) agreement with Anthropic to eliminate provider-side retention.
Social media integration: LinkedIn API (LinkedIn Corporation, a Microsoft company) is used exclusively to publish content to the Oracron company LinkedIn page. OAuth credentials (access and refresh tokens) are stored as server-side Supabase secrets — never in frontend code, environment files, or browser-accessible storage. No customer invoice data or personal data of Oracron's users is transmitted to LinkedIn. All API calls are made from Supabase Edge Functions inside your organisation's region.
CDN & DDoS: Cloudflare in front of all public endpoints. Automatic DDoS mitigation and WAF protection.

Responsible disclosure

If you discover a security vulnerability in Oracron, please report it to security@oracron.app. We will acknowledge receipt within 48 hours and keep you informed as we investigate. We do not operate a bug bounty programme at this stage, but we recognise responsible disclosures publicly if you consent.

Questions? We answer directly.

If you are evaluating Oracron for your organisation and need to complete a security questionnaire, request a Data Processing Agreement, or speak to someone about our compliance programme, contact us. We respond within one business day.

Last updated: May 2026 · Version 1.0 · Privacy policy · Terms of service