AssureLiner is built for enterprise shipping and logistics — where a single compromised BL or leaked rate sheet costs more than the software. Here's what we do about it.
Every framework below is backed by evidence you can request, not marketing copy. Certified means an audit report exists. Aligned means the controls are implemented and internally audited, awaiting external audit.
Information Security Management System
Environmental Management
Occupational Health & Safety
Payment card data protection (where applicable)
Security, Availability, Confidentiality
CIS Critical Security Controls v8
EU General Data Protection Regulation, India DPDP Act
Privacy Information Management (PIMS)
Encrypted in flight and at rest. Tenant-isolated by design.
TLS 1.3 for all external traffic. mTLS between services inside the trust boundary.
AES-256 on databases, object storage, backups, and log stores.
Customer master keys in AWS KMS / Azure Key Vault / GCP KMS with HSM backing. Key rotation automated.
Logical isolation by default; dedicated databases and VPCs available on Enterprise and Revenue-share tiers.
Export in Parquet / CSV / JSON on 30-day notice. Hard-delete workflows with tombstone proof.
Point-in-time recovery up to 35 days. Cross-region replicated backups, quarterly restore drills.
SSO, MFA, RBAC — with evidence on every action.
Integrates with Okta, Azure AD, Google Workspace, Ping, and custom IdPs.
TOTP, FIDO2 / WebAuthn, and SMS fallback — configurable enforcement per role.
Role, scope, and attribute-based policies across every module. No implicit admins.
Lifecycle automation — joiner, mover, leaver — from your IdP.
Time-bound elevation for production support with approval chain and auto-revoke.
IP allow-lists, geo controls, device posture checks, configurable session TTL.
Shift-left SDLC. Tests, scans, and reviews baked into CI.
Threat modelling on new modules. Mandatory peer review. Signed commits.
SAST on every PR; dependency scanning with severity gates; SBOM generated per build.
DAST on staging; container image scanning in registry; runtime admission controls.
Annual CREST-accredited pentest; remediation SLAs by severity; reports available under NDA.
Private bug bounty with triaged disclosure; payout tiers aligned to CVSS.
HashiCorp Vault / cloud KMS-backed. No secrets in repo, in env files, or in container images.
Segmented, monitored, recoverable.
No implicit trust between services. Identity-bound, mTLS-validated, policy-gated.
Cloudflare / AWS Shield on all public edges. Managed WAF rulesets + custom rules.
PrivateLink / VPC peering / IP allow-lists for enterprise customers who want to avoid the public internet.
Dev, staging, and production in separate accounts with no shared identity or data.
All infra as code (Terraform). No snowflake servers. Changes go through CI with approval.
OS + dependency patching SLAs: Critical ≤ 72h, High ≤ 14d, Medium ≤ 30d.
See everything. Respond fast. Recover cleanly.
SIEM with managed detection & response. Anomaly detection across auth, data-plane, and network.
Documented IR playbooks. On-call rotation. Customer notification within 72 hours of confirmed breach.
RTO ≤ 4h, RPO ≤ 15 min for Enterprise tier. Tested quarterly with published results.
All production changes via CI/CD pipeline, peer-reviewed, with automated rollback.
Annual security + privacy training, mandatory for all staff. Phishing drills quarterly.
Pre-employment background checks for all roles with data-plane access.
Explainable. Approvable. Auditable. And never trained on your data.
Customer data is never used to train shared foundation models. Private fine-tunes stay private — with written data use terms.
High-stakes AI recommendations route through Approval Workflows; no silent auto-action by default.
Every recommendation includes inputs, weights, confidence, and a drill-down trail.
Every production model is versioned, documented, and tied to a change-approval ticket.
Adversarial + regression eval suites run on every model promotion; results attached to release.
Inference runs against tenant-isolated data stores; no cross-tenant leakage through prompts or embeddings.
Your data, your call. Audit-ready by default.
Standard DPA with GDPR / DPDP-compliant SCCs. Custom DPAs available for Enterprise.
Access, rectification, erasure, portability — fulfilled within statutory windows.
Consent tracked per data subject, purpose, and timestamp — retrievable for regulator review.
Every data-plane action is logged and tamper-evident. Customer-accessible audit exports.
Deployments in US, EU, UK, India, Singapore, Australia. Regional pinning per tenant.
Public, versioned sub-processor list. 30-day advance notice of changes.
Tier-1 cloud. Audited vendors. Documented supply chain.
AWS / Azure / GCP regions with their own SOC 2 / ISO 27001 / PCI certifications.
Annual reviews of critical sub-processors; SLA + security posture tracked.
Managed EDR on all staff devices; device posture checks for production access.
Badge-access offices with visitor logging at delivery centres.
Certified secure destruction of decommissioned storage media with certificates of destruction.
Every AI recommendation in AssureLiner ships with explanation, confidence, approval chain and an audit trail — because a black-box decision on a 20,000-TEU voyage is a liability, not a feature.
Customer data is not used to train shared models. Private fine-tunes stay private.
High-stakes AI actions route through the same approval chain you already use.
Every AI recommendation, input, and decision is logged and drill-down-able.
Adversarial + regression suites on every model promotion. Results attached to release.
Inference runs in tenant-isolated stores. No cross-tenant leakage.
No silent auto-action by default. Autonomy is a per-customer, per-use-case decision.
Security questionnaires, audit reports, penetration-test summaries, sub-processor lists, DPAs — available under NDA to enterprise prospects and customers.
Tell us your role and engagement stage — we'll send the right pack with an NDA template.
Responded within one business day.
Yes — evidence packs (audit reports, penetration-test summaries, SOC 2 Type II once issued) are available under NDA. Request via the trust center or your account team.
Yes. SAML 2.0 and OIDC SSO are included at the Business tier and above. SCIM provisioning is included on Enterprise and Revenue-share tiers.
You pick the region — US, EU, UK, India, Singapore, or Australia. Cross-region replication only with explicit consent; sub-processor list and region are disclosed in the DPA.
We don't train shared models on customer data. High-stakes AI recommendations go through Approval Workflows. We version, document, and red-team every production model.
We notify affected customers within 72 hours of confirmation with impact, root cause, corrective actions, and preventive commitments. Post-mortems available on request.
BYOC (AWS, Azure, GCP) at Enterprise subscription. Private cloud and on-prem under Project and Revenue-share engagements.
Yes. We welcome customer-run pen tests against staging environments on scheduled windows, with a signed scope and rules-of-engagement.
Our compliance stack covers the common ground (ISO 27001, SOC 2, PCI-DSS, CIS). For regulated deployments we bring jurisdiction-specific controls, regional hosting, and evidence packs mapped to the regulator's framework.
Bring your questionnaire — we'll turn it around in a week. No vendor-speak, no hiding.