Security at Voyagers
Voyagers handles sensitive freight and commercial data: customer lists, pricing, rates, shipment records. Here is how we protect it.
1. Your data is encrypted
In transit: All traffic between your browser and our servers travels over HTTPS/TLS. We enforce HTTPS via HTTP Strict Transport Security (HSTS) and reject all unencrypted connections.
At rest: All data is stored in our managed cloud database with AES-256 encryption at rest. Encryption is applied at the storage layer — data on disk is unreadable without provider-managed encryption keys.
Passwords: User passwords are never stored. We store only a one-way bcrypt hash. Even our engineers cannot retrieve a password.
2. Your data is isolated from other companies
Voyagers is a multi-tenant platform. Every API request is scoped to the authenticated account at the database query level — not just the user interface. A freight forwarder using Voyagers cannot access another company's rates, customer list, quotes, or shipments under any circumstances, including by guessing document IDs. We have verified this against the OWASP API Security standard, specifically API1: Broken Object Level Authorization.
3. Access inside your organisation is controlled and logged
Role-based access control: Granular role-based access control with separation of duties between sales, operations, and procurement. Account owners assign and revoke permissions; access is enforced at the database query level for every request, not just in the user interface.
Audit logging: Every login, password change, user creation, shipment action, and role modification is written to an immutable audit log with timestamp, user ID, and IP address. Access to your data leaves a record.
4. Brute-force and automated attack protection
Rate limiting and lockout: Authentication endpoints are rate-limited and protected by automatic account lockout with backoff. Suspicious patterns are throttled at the edge.
Session security: Authentication cookies are httpOnly (inaccessible to JavaScript), Secure (HTTPS only), and SameSite=Strict (prevents cross-site submission).
5. Access by Voyagers staff
Voyagers staff access to your account data requires authentication and is restricted to support and operational personnel under role-based access control. All staff actions are written to the audit log.
6. Incident response
In the event of a confirmed data breach affecting your account data, we will:
- Notify affected account owners within 72 hours of discovery
- Provide a written incident report within 14 days
- Cooperate fully with any regulatory notification requirements
7. Infrastructure
Voyagers runs on enterprise-grade cloud infrastructure: managed database with point-in-time backups, application hosting with TLS termination, encrypted object storage, and authenticated email delivery. All providers are bound by data processing obligations and have no operational access to your business data beyond what their service requires.
Specific sub-processors and their data residency are documented in our Data Processing Agreement, available on request to support@voyagersonline.com.
8. Compliance roadmap
| Standard | Status |
|---|---|
| OWASP Top 10 (Web + API) | Implemented and verified |
| GDPR-aligned controls | Data minimisation, audit logs, 72-hr notification, right to deletion |
| Data Processing Agreement | Available on request |
| SOC 2 Type II | Planned, building toward first audit |
| ISO 27001 | Future roadmap |
| Penetration testing | Annual third-party pen test planned |
9. Data retention and deletion
On contract termination, we will delete all your data within 30 days upon written request. A Data Processing Agreement (DPA) formalises this commitment.
| Data type | Retention |
|---|---|
| Account and user data | 30 days after account deletion |
| Quote and shipment records | 7 years (business/legal compliance) |
| Audit logs | 3 years |
| Encrypted backups | Up to 90 days |
Security questions or vulnerability reports
For security questions or to request a Data Processing Agreement:
support@voyagersonline.com
To report a security vulnerability, email support@voyagersonline.com with subject line [SECURITY]. We will acknowledge reports within 48 hours.
Last updated: April 2026. Voyagers Online (Pvt) Ltd, incorporated in Sri Lanka.