Security

ShipGenius is targeting a SOC 2 Type I report within our first six months of operation and a SOC 2 Type II report within twelve. We use Vanta to continuously monitor our control evidence — connected to GitHub, our cloud providers, our identity providers, and our secrets manager — and review the resulting findings as a standing item in our weekly engineering meeting.

Today's status: SOC 2 audit scheduled; report not yet issued. We will publish the report identifier and audit window here as soon as the first audit closes.

In transit. All connections to ShipGenius are encrypted with TLS 1.2 or higher. HTTP Strict Transport Security is enforced and our root domain is submitted to the browser HSTS preload list, so browsers refuse to connect to ShipGenius over plain HTTP.

At rest. All customer data lives in PostgreSQL with disk-level encryption enabled. Encryption keys are managed by our database provider; ShipGenius operators do not have access to them.

Carrier credentials. Carrier API credentials get an additional layer of protection on top of disk encryption. Each credential is encrypted with a per-credential data encryption key (DEK) using AES-256 in Galois/Counter Mode. The DEK itself is encrypted by a master key (KEK) held in our secrets manager. We bind the encryption to a key-version identifier so that an attacker who somehow obtained an older key cannot use it to decrypt data encrypted under a newer one.

Decryption happens only at the moment a credential is needed for a carrier call, inside a system process. No ShipGenius employee can read a credential's plaintext. Our DEK rotation runbook documents how master keys are rotated and how all encrypted data is re-keyed without downtime.

ShipGenius uses passwordless email sign-in (magic link). We never store a password for any customer — there is no password database for an attacker to dump or crack. Magic-link tokens are short-lived, single-use, and bound to the email address that requested them.

Multi-factor authentication is enforced on every internal ShipGenius account that can access production: source control, deployment platforms, the secrets manager, the database admin console, the identity provider console, and our cloud-hosting dashboards.

ShipGenius is multi-tenant from the first row of code. Every record in our database carries an organization identifier, and PostgreSQL Row-Level Security policies enforce that a query running as one organization cannot read another organization's data — even if our application layer has a bug that forgets to filter. This is defense-in-depth: the application checks, and the database checks again.

Our role-based access controls separate customer roles (admin, member) from internal ShipGenius support roles. Internal support access to customer data is gated, time- limited, and logged.

Every sensitive action — sign-in, role change, carrier-credential upload, credential revocation, recovery-claim authorization, admin-mode access — writes an immutable audit-log row. The runtime role our application uses has been explicitly stripped of UPDATE, DELETE, and TRUNCATE privileges on the audit-log tables, so the application itself cannot rewrite history. Audit logs are retained for the life of the customer account plus 90 days.

ShipGenius runs continuous point-in-time recovery on our primary database. We can restore the database to any point within the last 35 days, with a recovery-point objective measured in minutes and a recovery-time objective measured in hours. We test the restore procedure quarterly against a staging environment.

Encrypted snapshots are stored in a geographically separate region from our primary database, so a regional outage cannot destroy both copies at once.

The vendors who host, transmit, and process customer data on our behalf — including our database provider, application host, secrets manager, email provider, and Anthropic for our AI processing — are listed on /subprocessors along with the type of data each one accesses and a link to their own security posture. We review each sub-processor's SOC 2 (or equivalent) report annually.

Anthropic, our AI provider, processes our customers' data under their Enterprise terms — zero retention by default and no training on our customers' prompts or completions. We selected Anthropic Enterprise specifically for these guarantees.

We welcome reports of security vulnerabilities. If you believe you've found one, please report it to security@shipgenius.ai. Encrypt sensitive details if you can; we will share a PGP public key on request.

We will acknowledge your report within 48 hours, provide a remediation plan within ten business days for serious findings, and credit you publicly if you'd like — or respect your wish to remain anonymous. We will not pursue legal action against researchers acting in good faith under this policy.

We will engage an independent firm to conduct an external penetration test on the ShipGenius platform within the first twelve months of operation, with annual retests thereafter. We will publish the summary findings on this page after each test.

Today's status: first penetration test scheduled; report not yet issued.

ShipGenius operates a documented incident-response runbook covering detection, triage, customer notification, root-cause analysis, and post-incident review. The runbook is reviewed quarterly. In the event of a security incident that affects your data, we will notify you without undue delay — and within the timelines required by applicable law — with the facts we have, what we are doing about it, and what you should do in response.

Our dependency graph is scanned continuously by automated tooling — Dependabot for direct dependencies and Snyk for the transitive graph — with security-only updates applied within seven days of disclosure for high-severity findings. Container base images and operating system packages on our hosted services are rebuilt and redeployed on a regular cadence so we are never running months-old userspace.

ShipGenius is a small, vetted team. Every employee or contractor with access to production has signed a confidentiality agreement and completed security-awareness training. We follow least-privilege access principles — production database read-write access is restricted, time-limited, and logged, and is never used for casual queries.

For security questionnaires, requests for our SOC 2 report once issued, or any other security questions, write to security@shipgenius.ai. We respond to questionnaires from prospective customers within five business days.