๐Ÿ”’

SECURITY AT PREVAYL

We protect your data with enterprise-grade controls, transparent practices, and continuous security monitoring.

๐Ÿ“‹
SOC 2 Type I โ€” In Progress
Prevayl is undergoing SOC 2 Type I audit certification. Type II target: Q4 2026. Our controls map to AICPA Trust Services Criteria: Security (CC), Availability (A), Confidentiality (C), and Privacy (P).

๐Ÿ”Encryption

  • All data in transit encrypted via TLS 1.2+ (HSTS enforced)
  • Data at rest encrypted using AES-256 (Supabase managed)
  • Database backups encrypted with separate keys
  • API keys and secrets stored as environment variables, never in source code

๐Ÿ›ก๏ธAccess Controls

  • Role-based access control (RBAC): dispatcher, carrier, dealer, accounting, partner, admin
  • Row-Level Security (RLS) enforced at the database layer via Supabase
  • Admin actions require MFA (rolling out Q2 2026)
  • Least-privilege principle applied to all service accounts
  • Session tokens expire after inactivity

๐Ÿ“Audit Logging

  • All privileged actions logged with user ID, timestamp, and IP address
  • Audit logs are insert-only โ€” no modification or deletion permitted
  • Logs retained for a minimum of 2 years per SOC 2 requirements
  • Anomaly alerts for off-hours admin access and mass data exports

๐Ÿ—๏ธInfrastructure

  • Hosted on DigitalOcean (SOC 2 Type II certified) โ€” US East region
  • UFW firewall โ€” only ports 80, 443, 22 publicly accessible
  • Fail2ban active: SSH brute-force protection, 2,000+ IPs blocked to date
  • SSH key-only authentication โ€” password auth disabled
  • Automated dependency security scanning via GitHub Dependabot
  • nginx reverse proxy with security headers (HSTS, X-Frame-Options, etc.)

๐Ÿ”„Availability & Resilience

  • PM2 process manager with automatic restart on crash
  • Daily database backups via Supabase (7-day retention, Point-in-Time Recovery)
  • Uptime monitoring at /api/health
  • Incident response plan in place (RTO: 4h, RPO: 24h)

๐ŸคVendor Management

  • All subprocessors reviewed for SOC 2 / ISO 27001 compliance
  • Data processing agreements (DPAs) in place with key vendors
  • Full subprocessor list maintained at /legal/subprocessors

๐Ÿ› Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please email us at [email protected] with details of the finding.

We commit to: (1) acknowledging your report within 48 hours, (2) keeping you updated on our remediation progress, and (3) not pursuing legal action against good-faith researchers following responsible disclosure.

View security.txt

Last updated: April 30, 2026

Privacy Policy ยท Terms of Service ยท Subprocessors

ยฉ 2026 Prevayl Inc. All rights reserved.