At a glance
Security practices
Encryption at rest & in transit
All data encrypted with AES-256 at rest. TLS 1.3 for all network connections. Stripe handles all payment data — we never see card numbers.
Identity verification
Stripe Identity verifies your licence + selfie before issuing your IDP. Identity documents are deleted within 30 days of verification.
Access controls
Row-Level Security on every database table. Admin actions audit-logged. Two-person review required for refunds >$200 and account deletions.
Two-factor authentication
Optional TOTP-based 2FA for customer accounts. Mandatory for all admin accounts. Recovery codes provided at enrollment.
Vulnerability disclosure
We publish a security.txt and respond to disclosures within 24 hours. Bug bounty program live for verified researchers.
Backup & recovery
Daily encrypted backups across 3 geographic regions. Tested recovery SLA: 4 hours. Audited quarterly.
Compliance & certifications
RoadSeal IDP documents follow the format defined by the United Nations road traffic treaties — the 1949 Geneva Convention on Road Traffic and the 1968 Vienna Convention on Road Traffic. The full treaty texts are available from the UN Treaty Collection. How we verify the claims on this site is documented in our Editorial Policy.
| Framework | Status | Last reviewed |
|---|---|---|
| GDPR (Article 17, 20, 25) | Compliant | Q1 2026 |
| CCPA / CPRA | Aligned | Q1 2026 |
| UK Data Protection Act 2018 | Compliant | Q1 2026 |
| PCI-DSS (via Stripe) | Level 1 inherited | Q4 2025 |
| SOC 2 Type II | In progress (Q4 2026) | — |
| ISO 27001 | Planned (2027) | — |
Sub-processors
We work with these vendors to operate RoadSeal. Each has signed a DPA aligned with our privacy policy. Last updated April 2026.
| Vendor | Purpose | Data residency |
|---|---|---|
| Stripe | Payment processing & identity verification | USA / Ireland |
| Supabase (PostgreSQL) | Application database + auth | EU (Frankfurt) |
| Cloudflare Pages | Static hosting + CDN | Global edge |
| SendGrid | Transactional email delivery | USA |
| Anthropic (Claude API) | AI chat assistant — when enabled by user | USA |
| Trustpilot | Review collection — opt-in | EU (Denmark) |
| Google (GA4 + Maps) | Analytics + address lookup — consent-gated | USA + Global |
Audit timeline
SOC 2 Type II certification
Annual review of all security controls by a CPA firm.
SOC 2 Type I report
First milestone — independent attestation of security posture.
Penetration test — passed
Independent external pen test by Cobalt.io. 0 critical findings, 2 medium, 4 low — all remediated within 14 days.
GDPR DPIA completed
Data Protection Impact Assessment for IDP processing flow. Reviewed by external DPO.
RLS audit on all 21 tables
Every table verified to enforce row-level isolation between customers and admins.
Reporting concerns
Security vulnerability
Email security@roadseal.co with details. PGP key available at /security.txt. We respond within 24 hours.
Privacy / GDPR request
Email dpo@roadseal.co or use the self-service portal for data export and deletion. 30-day SLA.
Compliance / press
Email legal@roadseal.co for legal inquiries, audit cooperation, or press requests for compliance details.
Live status
Real-time uptime, incidents, and maintenance windows on status.roadseal.co.