Security & control · Built for the top 100 US shippers

Your freight.
On the record.

Every decision and every action on your loads is logged, reproducible, and yours to read — load by load, before and after the fact. A human signs before anything irreversible, carriers are vetted before any rate-con, and your data sits in its own isolated environment. No black box, no 'trust us' — the same record your CFO, your board, and your auditor can read, exactly as it stands.

5
Human gates
nothing irreversible unsigned
100%
Audit coverage
hand it to your CFO
FMCSA
Carrier vetting
authority + safety · 45-point fraud library
48h
Banking cooling
on any change to where money goes
Posture
Server-side tenant scopingFrozen prompts · SHA-256OpenTelemetry tracesInngest durable queueFMCSA-verified carriers48-hr banking cooling
What you control

Visibility you don't have to ask for.

Security here is not a posture statement you file away. It is a record you can get on any load — the receipts on every load, a signature on anything that can't be undone, and the same vetting on every carrier whether or not anyone is watching.

100% logged

A complete record on every load

Every load's full record — timestamped decisions, actions, and verification results — is logged and yours to get, load by load. No black box.

5 human gates

Sign before it's irreversible

Five points in the workflow stop and wait for a person — dispatch, banking changes, and more. The work runs unattended; it never moves money unsupervised.

Shown, not asserted

See the rate, not the black box

The sell-side rate is shown on every load, not buried. Transparency is the trust play, not a thing you have to pry loose.

Tenant-scoped, every query

Keep your data isolated

The platform runs on its own dedicated, isolated database — never shared with another product — and every portal query is scoped to your account on the server. Shipper and carrier surfaces are projected through typed views that structurally cannot carry another customer’s pricing or records.

Human gates

A person signs before anything irreversible.

The system runs the loose ends so your team doesn't have to — but five points in the workflow stop cold and wait for a human signature. Money never moves unattended.

1
Dispatch approval
Gate 1

No rate confirmation goes to a carrier until a dispatch is approved on the record. There is no path around it — the workflow refuses to commit coverage without the sign-off.

2
Banking-change cooling
Gate 2 · 48h

Any change to where a carrier gets paid triggers a 48-hour cooling period plus identity re-verification against the FMCSA-registered phone before it can apply.

3
Voice load scope
Gate 3

On a phone call, the system can only touch the one load the caller was verified against. Two-factor verification at the start; hard caps on what can be quoted or changed.

4
Prompt activation
Gate 4

Nothing that changes how the system reasons goes live without an approver on the record. Frozen, versioned, and signed — drift cannot ship itself.

5
Outreach launch
Gate 5

No outbound sequence sends until a named person authorizes the launch. There is no headless send path; a human owns every campaign that goes out.

The audit trail

An audit trail you can hand to your CFO.

100% audit coverage. Every decision and action on your freight is written to the record with its inputs, its checks, and its outcome. Sensitive fields are redacted at the boundary as a matter of policy, but the load's full decision record is yours to get for any load — hand it to your CFO, your board, or your auditor exactly as it stands.

Run a live quote and watch it build
operator.throughline / audit / TLN-Q-48211Sample 100% logged
audit_reports · row2026-04-27
request
TLN-Q-48211
lane
Detroit, MI → Dallas, TX
decision
quote priced · capacity read
checks
FMCSA authority + safety
fraud_screen
45 patterns · 0 flags
latency_ms
1842
result
$2,440 · 78% capacity
gate_required
dispatch_approval
signed_by
J. Rivera · ops
Sample record — every decision + action on a load, logged and yours to get.
Carrier verification

We vet the carrier before the rate-con — not after.

The carrier that shows up at your dock is the carrier we vetted. Identity, authority, and fraud exposure are checked against FMCSA authority and safety data and screened against a 45-point fraud-pattern library before we book — with Highway and Carrier411 layering in as we enable them.

  • FMCSA authority + safety on every carrierFMCSA authority, safety, and history checked on every carrier — with deeper third-party verification (Highway, Carrier411) layered in as we enable it. Not our own say-so.
  • 45 fraud patterns screenedPhone-port flags, day-old MC numbers, banking churn, and more — a 45-point fraud-pattern library screened before we book.
  • FMCSA phone matchOn an inbound call, the caller is screened against the carrier-on-record's FMCSA-registered number — a mismatch raises the fraud risk score — and identity itself is established by two-factor reference verification.
  • 48-hour banking cooling periodAny change to where a carrier is paid waits 48 hours and re-verifies identity before it can take effect.
  • Negotiation never weakens vettingA carrier that fails any layer is rejected regardless of how good the rate looks. The buy-side never buys an exception.
Data isolation & integrity

Isolated by default. Inspectable on demand.

The platform is built so a security team can verify the claims, not just read them. Your environment is walled off, the reasoning is frozen and checksummed, and every action carries a trace.

Data isolation
Dedicated database, isolated schema

Each environment runs on its own dedicated Supabase project in an isolated schema that is never exposed directly to the internet — every customer-facing read is tenant-scoped on the server. Data is encrypted in transit (TLS) and at rest. A boot guard refuses to start unless it can prove which database it is connected to.

Frozen prompts
Frozen, checksummed reasoning

The instructions the system runs on are versioned, immutable, and locked by SHA-256 checksums — any drift from the approved registry fails the build and cannot reach production. No silent change to how your freight is handled.

OpenTelemetry
Full traceability

Every action carries an OpenTelemetry trace and runs on a durable queue, so nothing executes without a trail. Sensitive fields are redacted at the boundary before any trace leaves the system.

Sub-processors

Every vendor that can ever see your data.

The full list, each one's function, and the posture commitment we hold it to. Enterprise customers get a signed sub-processor change-log — no addition without 30 days notice.

VendorFunctionPosture
Anthropic ClaudeReasoning engineAPI data is not used to train models under Anthropic’s commercial terms; retained only briefly per their data-retention policy.
SupabaseDatabase, realtime & authDedicated project per environment; us-east-2; isolated schema not exposed to the public API; encrypted at rest; daily backups.
StripePaymentsCard data is collected and held by Stripe only — card numbers never touch our servers or our database.
VercelApplication hostingEnvironment isolation per deploy; production secrets held in a dedicated secrets manager, not the host UI.
InngestBackground job durabilityPer-job idempotency; dead-letter queue with an operator triage runbook so nothing is silently dropped.
LangfuseTrace observabilitySensitive fields redacted at the boundary before any trace is shipped.
Vapi · ElevenLabs · DeepgramVoice channelSigned webhooks; recording disclosure is jurisdiction-aware; two-party consent honored.
Inspect it yourself

Nothing to hide. So come look.

Send your security team — we'll walk every gate, every isolation boundary, every checksum, and every sub-processor, with an MSA and DPA available before pilot. Or run a real lane and watch the record build. Free to use, your data isolated, carriers vetted, a human on every irreversible step, and proof you can verify on every load.

Found a vulnerability? We run responsible disclosure per /.well-known/security.txt — write security@thltrucking.com.

Get a rateOpen account