Carrier Audit← Back to home

Bank-grade security

Your wireless bills contain account numbers, addresses, and line-level usage. We treat them like the sensitive financial documents they are. Here is exactly what we do to protect them.

TLS 1.2+ in transit

Every request between your browser, our app, and our backend is encrypted with modern TLS. HTTP is redirected to HTTPS and HSTS is enforced.

AES-256 encryption at rest

Uploaded bills, parsed line data, and reports are stored on managed Postgres and object storage with AES-256 encryption at rest. Backups are encrypted with the same standard.

Row-level access control

Every database table is protected by row-level security policies scoped to your user id. You can only ever read or modify your own audits, bills, and reports — verified server-side.

Least-privilege secrets

Service credentials, AI provider keys, and Stripe keys are kept in a secrets vault and only injected at runtime. They are never exposed to the browser bundle.

Signed webhooks

Outbound webhook deliveries are HMAC-signed. Receivers can verify the signature using a secret shown only once at creation — signing secrets are never stored in plaintext or shown again.

PCI-DSS Level 1 payments

Payments are processed by Stripe, a PCI-DSS Level 1 service provider. Card numbers never touch our servers — we only see a tokenized reference.

Breached-password protection

New and changed passwords are checked against the Have I Been Pwned database. Accounts cannot be created or rotated to a password that has appeared in a known breach.

Strong password requirements

Passwords must be at least 12 characters and include uppercase, lowercase, a number, and a symbol — enforced on signup and password reset.

Data handling

  • • Uploaded PDFs are parsed in an isolated server runtime and stored in a private object store. Only your account can request a signed URL to read them.
  • • Reports are generated server-side and stored encrypted at rest. Public sharing requires you to explicitly create a share token, which you can revoke at any time.
  • • We never sell your data, never share it with carriers, and never use your bills to train third-party AI models.
  • • You can delete an audit and its underlying bill at any time from your dashboard.

Report a vulnerability

If you believe you have found a security issue, please email security@carrieraudit.io. We respond to verified reports within two business days.