Security at CargIQ

All traffic between your browser and CargIQ is encrypted in transit with TLS (HTTPS). Documents you upload are stored in AWS S3, and data at rest is encrypted using our cloud provider's encryption.

Sign-in uses short-lived access tokens paired with refresh tokens (JWT), so a stolen access token expires quickly.

Inside the app, access is controlled by roles (manager, dispatcher, accountant, and so on) and scoped by company: users can only see and change the data belonging to their own company.

CargIQ runs on Amazon Web Services (AWS), which handles the physical and much of the operational security of the underlying infrastructure. We keep our dependencies updated and apply security fixes as part of normal development.

We use a small set of service providers, each limited to its role:

• AWS — application hosting and document storage.
• Postmark — transactional email.
• OpenAI — AI document extraction (for example, reading rate confirmations to extract load details) when you use those features.
• Samsara — optional telematics integration that you connect yourself.

Security is shared. We recommend that you:

• use a strong, unique password for your CargIQ account;
• assign roles carefully so people only have the access they need;
• remove users promptly when they leave your company.

If you believe you've found a security vulnerability in CargIQ, please email support@cargiq.com with the details. We review every report and will work with you to understand and address the issue. We ask that you give us a reasonable opportunity to fix a problem before disclosing it publicly.

We do not currently operate a paid bug bounty program.