Security

How we protect your account and data.

Infrastructure

CarrierMetric runs on Google Cloud Platform, leveraging enterprise-grade infrastructure with built-in redundancy, automated backups, and physical security controls across Google's data centers.

• Compute: Google Cloud Run (serverless containers)
• Data Storage: Google BigQuery and Cloud Firestore with encryption at rest
• Static Assets: Firebase Hosting with global CDN
• Secrets: Google Cloud Secret Manager for all API keys, credentials, and sensitive configuration

Encryption

• In Transit: All connections use HTTPS/TLS. HSTS is enforced with a one-year max-age policy. HTTP connections are automatically redirected to HTTPS.
• At Rest: All data stored in Google Cloud is encrypted at rest using AES-256 by default.

Authentication

• Firebase Authentication: Secure email/password authentication with bcrypt-hashed passwords managed by Google Firebase
• Multi-Factor Authentication: SMS-based MFA available for all users, with recovery codes for backup access
• Session Management: Firebase ID tokens with automatic expiration and refresh
• Inactivity Timeout: Sessions automatically expire after 30 minutes of inactivity

API Security

• Key Hashing: API keys are hashed using BLAKE2b before storage. Raw keys are displayed once at generation and cannot be retrieved.
• Constant-Time Comparison: API key validation uses HMAC-based constant-time comparison to prevent timing attacks
• Rate Limiting: Per-key sliding window rate limits (60 requests/minute, 500 requests/day) with burst protection
• IP Logging: API request logs store hashed IP addresses, not raw IPs

Application Security

• Security Headers: X-Content-Type-Options, X-Frame-Options (DENY), X-XSS-Protection, Referrer-Policy, and Permissions-Policy headers on all responses
• CORS: Cross-origin requests restricted to carriermetric.com origins only
• Input Validation: All user inputs validated and sanitized server-side. HTML content is escaped to prevent XSS.
• CSRF Protection: Stateless token-based authentication prevents cross-site request forgery

Data Handling

• Minimal PII: We collect only the information necessary to operate the Service — name, email, and phone number for MFA. We do not store payment card data (handled by Stripe).
• Carrier Data: All carrier data is sourced from publicly available FMCSA records. No private or proprietary carrier information is collected or stored.
• Log Retention: Usage and API logs are retained for 90 days and then automatically deleted.

Access Controls

• Role-Based Access: User and admin roles with tier-based feature gating
• Firestore Security Rules: Document-level ownership enforcement — users can only access their own data
• Non-Root Containers: Production containers run as a non-root user

Responsible Disclosure

If you discover a security vulnerability in CarrierMetric, we appreciate your help in disclosing it responsibly. Please email support@carriermetric.com with the subject line "Security Report" and include:

• A description of the vulnerability
• Steps to reproduce the issue
• Any potential impact assessment

We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Questions

For security-related questions, contact support@carriermetric.com.