How DriverReady protects your driver records
All sensitive driver fields — CDL numbers, dates of birth, contact information — are encrypted using AES-256-GCM at the field level. This means each value is individually encrypted before it reaches the database, not just protected by disk-level or database-level encryption. Even if the underlying storage were compromised, the encrypted fields would remain unreadable without the encryption keys.
All data transmitted between your browser and DriverReady is encrypted in transit using TLS 1.2 or higher. This applies to every API request, file upload, and document download.
DriverReady enforces role-based permissions at every level of the application. There are three customer-facing roles — Super Admin, Client Admin, and Client Viewer — each with carefully scoped access to data and actions. Admins can manage drivers and documents; Viewers can see records but cannot modify them.
Every API request is authenticated and scoped to the employer account that owns the data. Cross-tenant data access is not possible by design. A user in Company A cannot see, query, or reference any data belonging to Company B, regardless of how requests are constructed.
Passwords are hashed using bcrypt with a cost factor of 12, making brute-force attacks computationally impractical. Password reset tokens and document request links use cryptographically random values that are single-use and expire after 15 minutes.
Sessions expire after 8 hours of activity. If a user is inactive for 30 minutes, the session is automatically terminated and the user must re-authenticate. These timeouts are enforced server-side and cannot be bypassed by the client.
DriverReady is hosted on Amazon Web Services (AWS) infrastructure located in the United States. We use EC2 for application hosting, RDS for managed PostgreSQL databases, and S3 for encrypted document storage. All database backups are encrypted at rest.
Application secrets — database credentials, API keys, encryption keys — are managed through AWS SSM Parameter Store and are never hardcoded in application code or committed to version control.
Every significant action in DriverReady is recorded in an immutable audit log. This includes document uploads, access grants, data exports, login events, permission changes, and administrative actions. Audit logs capture the action type, the user who performed it, and the entity affected — but they do not store personally identifiable information (PII) in the log entries themselves, only entity IDs.
Audit logs are available to account administrators within the DriverReady dashboard and can be exported for your own compliance records.
If you believe you have found a security vulnerability in DriverReady, please contact us at hello@driverready.net before public disclosure. We take all reports seriously and will respond within 48 hours. We ask that you give us a reasonable amount of time to address the issue before sharing details publicly.