Purpose-built to replace Trashflow — talk to us about migration →
HaulRouter
Request demo
PlatformSolutionsPricingIntegrationsRequest demo →
Home / Security & Compliance

Security built into
the platform, not bolted on.

You're trusting Haul Router with customer payment methods, 450,000-record customer books and the financial system of record for your business. Here's how that data is protected at every layer.

The fundamentals

Six controls, on every record.

// PAYMENTS

No card data, ever

Credit cards are tokenized through Authorize.net. Card numbers never touch — and are never stored in — Haul Router, keeping your PCI scope to a minimum.

// ISOLATION

Tenant data separation

Row-level scoping isolates every tenant's data automatically on every query. One operating company can never see another's accounts, routes or financials.

// AUDIT

Complete audit trail

Every model change is recorded — who changed what, and when — alongside a high-level activity log of business events. Nothing happens off the record.

// ACCESS

Granular RBAC

Role- and permission-based access control governs view, create, edit, delete, export and print per resource — with temporary, time-boxed role assignments.

// ENCRYPTION

Encrypted in transit & at rest

All traffic is served over TLS and data is encrypted at rest in managed PostgreSQL and S3-compatible object storage.

// IDENTITY

SSO & account protection

Optional SAML/OIDC single sign-on (Azure AD), plus session management, password reset and account-lockout protection for every internal user.

How we operate

Practices behind the controls.

Security isn't a page — it's how the platform is built, deployed and reviewed. A few of the practices we hold ourselves to.

  • OWASP-aligned development. The application is reviewed against the OWASP Top 10, with input validation and output encoding by default.
  • API rate limiting & key auth. Every API integration authenticates with a per-tenant key and is rate-limited to prevent abuse.
  • Managed, backed-up infrastructure. Hosted on managed PostgreSQL with automated backups and point-in-time recovery.
  • Least-privilege by default. New users start with no access; permissions are granted explicitly through roles your admins control.
AUDIT LOG // ACT-100092LIVE
rate change · $32.00 → $34.50j.rivera · 12 Jun 2026 09:14 · 10.2.4.18EDIT
credit applied · 96R recyclingm.chen · approved by supervisorCREATE
payment method updated · tokenizedcustomer portal · card never storedUPDATE
role granted · Dispatch (temp)expires 30 Jun 2026GRANT
Immutable · exportable4 events
Compliance

Need a security questionnaire or DPA completed?

We work with procurement and IT teams at municipalities and enterprise haulers regularly. Reach out and we'll walk your security and compliance requirements through with you — including data-processing agreements, access reviews and deployment details.

Contact our team Developer & API docs