Encryption
AES-256-GCM at rest. TLS 1.3 in transit. Application secrets and provider credentials are encrypted before database storage.
Security and Compliance
Built for rental records that need to hold up later.
Contracts, renter details, damage photos, deposits, and payment records need access control and an audit trail. The technical detail is here for your IT person or MSP.
Security pillars
Technical posture
The technical posture, in plain terms.
Authentication
Shop staff sign in through managed authentication. Renter links use scoped, time-limited access. We do not store a password database for renters.
Data residency
US-only. Every tenant primary database lives in a US data center on Cloudflare D1. We do not replicate FleetLoop customer data outside the US.
Compliance
Where we are on compliance.
What we have, what is in progress, and what is out of scope.
SOC 2 Type II
In progress
Type I report expected Q3 2026. Type II report expected Q4 2026. Both will be available under NDA to Pro+ and Enterprise customers.
GDPR / CCPA
Compliant
Data deletion on request, data export on request, and a documented Data Processing Addendum available for customers handling EU or California residents.
PCI
Processor scoped
Card data is handled by the payment processor. FleetLoop stores payment event records and processor references, not full card numbers.
Security questions
Frequently asked
Security questions
Where is shop and renter data physically stored?
In the United States. The primary database for every FleetLoop tenant lives in a US data center on Cloudflare D1. We do not replicate or store FleetLoop customer data outside the US.
How are payment credentials protected?
Card data is tokenized by the payment processor and never touches our infrastructure. Provider credentials are encrypted at the application layer before they hit the database.
Can I delete a renter record on request?
Yes. Renter records, rental agreements, vehicle photos, and payment events can be deleted from the dashboard. Deletion is propagated to backups within 30 days per our retention policy.
Do you do penetration testing?
We run annual third-party penetration testing starting in Q3 2026, in addition to automated scanning. Test results are available under NDA on Pro+ and Enterprise plans.
What happens if there is a breach?
We have a documented incident response plan that includes customer notification within 72 hours for any incident affecting your data, root-cause analysis within 14 days, and a remediation plan.
Can I export my data?
Yes. CSV export of rentals, renters, vehicles, deposits, payment events, and damage records is available on Pro+. There is no charge for export and no lock-in.
Talk to our team about your specific security needs.
If you have a procurement checklist, insurance requirement, or data retention question, we will work through it with you directly.