HAULIC
Dispatch Management
Security & Trust
Haulic is built for transportation operators who need audit-grade traceability, tenant-isolated data, and always-on dispatch availability. Below is an honest summary of the controls in place.
Access & Authentication
- Password policy enforced: 12+ characters, upper/lower/number/symbol required
- MFA (TOTP) available for all user accounts
- Account lockout after repeated failed login or MFA attempts
- Privileged re-authentication required before sensitive exports and admin actions
- Session revocation available per-session from the Security settings page
- CSRF tokens issued on every session; all state-changing requests verified
Data Isolation
- All data is scoped to
company_idat every query layer — no shared tables between tenants - Cross-tenant context switching restricted to master_admin accounts only
- Role-based access control enforced server-side: dispatcher, company_admin, owner, accounting, master_admin
- Export endpoints require privileged re-auth and are rate-limited independently
Audit & Observability
- Immutable audit log written on every load create, update, status transition, driver and truck change
- Security event log tracks failed logins, MFA failures, lockouts, and suspicious activity
- Monthly automated security audits with pass/fail scoring (visible in admin dashboard)
- Tenant safety audit available to master_admin: cross-tenant assignment checks, visibility risk
Infrastructure
- All API traffic flows exclusively through Cloudflare — the origin server is not reachable directly; requests without a valid proxy secret are rejected at the origin
- Frontend served via Cloudflare Workers — DDoS protection, WAF, and edge rate limiting included
- API protected by layered rate limiters: global, auth-specific, and expensive-route budgets
- Attack mode: automatic request throttling activates when anomalous burst traffic is detected
- All traffic over HTTPS; HTTP Strict Transport Security enforced
- Helmet.js security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
Driver Safety & Compliance
- Dispatch hard-lock: trucks with expired annual inspections or
out_of_compliancestatus cannot be assigned to loads - Driver Qualification File (DQF) registry tracks CDL class, med card expiry, MVR status, and Clearinghouse status
- Compliance registry visible to all dispatch roles; hard-locked status surfaced prominently
What we are working on
These items are on our near-term roadmap and not yet complete:
- Admin audit-log query endpoint with date and tenant filters (master_admin only)
- Automated daily database backups with documented restore procedure and measured RTO
- Formal penetration test by a third-party firm (scheduled for pilot graduation)
Responsible Disclosure
Report security issues to security@haulic.app with reproduction details, impact assessment, and affected endpoints. We aim to acknowledge reports within 2 business days.