Security & compliance
Built for EU freight.
Built for GDPR.
Shipment data contains commercially sensitive information — cargo values, trading partner identities, T1/T2 transit document contents, and route patterns. RouteLyft's infrastructure is designed with EU data residency (Frankfurt region), AES-256 encryption at rest and TLS 1.3 in transit, GDPR Article 28 DPA availability, and strict minimal-retention policies.
Security controls
How we protect your freight data
EU-only data residency
All RouteLyft data is stored and processed on servers located in the EU. We do not transfer freight data outside the European Economic Area. Our infrastructure is hosted on EU-region cloud zones.
Encryption at rest and in transit
All data at rest is encrypted using AES-256. All data in transit uses TLS 1.2 or higher. API keys and credentials are encrypted and never stored in plaintext. Webhook payloads are signed with HMAC-SHA256.
Role-based access control
Account access is governed by role-based permissions. Admin users can configure which team members can view, export, or configure shipment data. All permission changes are logged with user attribution and timestamp.
Minimal data retention
Shipment event data is retained for 90 days by default, then purged automatically. Accounts can request shorter retention windows. We retain only what's operationally necessary and nothing more.
GDPR-native from day one
RouteLyft is built to comply with GDPR as a data processor. Our privacy policy, DPA templates, and data handling practices are designed in collaboration with our legal counsel. We do not sell data to third parties.
Data Processing Agreement (DPA)
All customers can request a Data Processing Agreement with RouteLyft GmbH, in compliance with GDPR Article 28. DPAs are available on all paid plans. Contact [email protected] to request one.
Access controls
Who can see your data
RouteLyft customer data is strictly siloed by account. RouteLyft staff can only access customer data in the following circumstances: direct customer support request, legal obligation, or security incident response. All internal access is logged.
- Customer data is account-siloed — no cross-account visibility
- RouteLyft staff access is logged with user + reason
- No advertising, analytics, or data brokering use of customer data
- Carrier API credentials stored encrypted, not accessible to RouteLyft staff
Incident response
Security issue? Write to us directly.
If you discover a security vulnerability in RouteLyft, please contact Mia Köhler, CTO, directly at [email protected] with the subject line "Security Report". We commit to acknowledging all security reports within 24 hours and resolving confirmed vulnerabilities within 14 days.
Security contact
Email: [email protected]
Response SLA: 24 hours acknowledgement, 14 days resolution
Questions about data handling or compliance?
Write to us directly. We respond to every message.