Your freight.
On the record.
Every decision and every action on your loads is logged, reproducible, and yours to read — load by load, before and after the fact. A human signs before anything irreversible, carriers are vetted before any rate-con, and your data sits in its own isolated environment. No black box, no 'trust us' — the same record your CFO, your board, and your auditor can read, exactly as it stands.
Visibility you don't have to ask for.
Security here is not a posture statement you file away. It is a record you can get on any load — the receipts on every load, a signature on anything that can't be undone, and the same vetting on every carrier whether or not anyone is watching.
A complete record on every load
Every load's full record — timestamped decisions, actions, and verification results — is logged and yours to get, load by load. No black box.
Sign before it's irreversible
Five points in the workflow stop and wait for a person — dispatch, banking changes, and more. The work runs unattended; it never moves money unsupervised.
See the rate, not the black box
The sell-side rate is shown on every load, not buried. Transparency is the trust play, not a thing you have to pry loose.
Keep your data isolated
The platform runs on its own dedicated, isolated database — never shared with another product — and every portal query is scoped to your account on the server. Shipper and carrier surfaces are projected through typed views that structurally cannot carry another customer’s pricing or records.
A person signs before anything irreversible.
The system runs the loose ends so your team doesn't have to — but five points in the workflow stop cold and wait for a human signature. Money never moves unattended.
No rate confirmation goes to a carrier until a dispatch is approved on the record. There is no path around it — the workflow refuses to commit coverage without the sign-off.
Any change to where a carrier gets paid triggers a 48-hour cooling period plus identity re-verification against the FMCSA-registered phone before it can apply.
On a phone call, the system can only touch the one load the caller was verified against. Two-factor verification at the start; hard caps on what can be quoted or changed.
Nothing that changes how the system reasons goes live without an approver on the record. Frozen, versioned, and signed — drift cannot ship itself.
No outbound sequence sends until a named person authorizes the launch. There is no headless send path; a human owns every campaign that goes out.
An audit trail you can hand to your CFO.
100% audit coverage. Every decision and action on your freight is written to the record with its inputs, its checks, and its outcome. Sensitive fields are redacted at the boundary as a matter of policy, but the load's full decision record is yours to get for any load — hand it to your CFO, your board, or your auditor exactly as it stands.
Run a live quote and watch it build- request
- TLN-Q-48211
- lane
- Detroit, MI → Dallas, TX
- decision
- quote priced · capacity read
- checks
- FMCSA authority + safety
- fraud_screen
- 45 patterns · 0 flags
- latency_ms
- 1842
- result
- $2,440 · 78% capacity
- gate_required
- dispatch_approval
- signed_by
- J. Rivera · ops
We vet the carrier before the rate-con — not after.
The carrier that shows up at your dock is the carrier we vetted. Identity, authority, and fraud exposure are checked against FMCSA authority and safety data and screened against a 45-point fraud-pattern library before we book — with Highway and Carrier411 layering in as we enable them.
- FMCSA authority + safety on every carrier — FMCSA authority, safety, and history checked on every carrier — with deeper third-party verification (Highway, Carrier411) layered in as we enable it. Not our own say-so.
- 45 fraud patterns screened — Phone-port flags, day-old MC numbers, banking churn, and more — a 45-point fraud-pattern library screened before we book.
- FMCSA phone match — On an inbound call, the caller is screened against the carrier-on-record's FMCSA-registered number — a mismatch raises the fraud risk score — and identity itself is established by two-factor reference verification.
- 48-hour banking cooling period — Any change to where a carrier is paid waits 48 hours and re-verifies identity before it can take effect.
- Negotiation never weakens vetting — A carrier that fails any layer is rejected regardless of how good the rate looks. The buy-side never buys an exception.
Isolated by default. Inspectable on demand.
The platform is built so a security team can verify the claims, not just read them. Your environment is walled off, the reasoning is frozen and checksummed, and every action carries a trace.
Each environment runs on its own dedicated Supabase project in an isolated schema that is never exposed directly to the internet — every customer-facing read is tenant-scoped on the server. Data is encrypted in transit (TLS) and at rest. A boot guard refuses to start unless it can prove which database it is connected to.
The instructions the system runs on are versioned, immutable, and locked by SHA-256 checksums — any drift from the approved registry fails the build and cannot reach production. No silent change to how your freight is handled.
Every action carries an OpenTelemetry trace and runs on a durable queue, so nothing executes without a trail. Sensitive fields are redacted at the boundary before any trace leaves the system.
Every vendor that can ever see your data.
The full list, each one's function, and the posture commitment we hold it to. Enterprise customers get a signed sub-processor change-log — no addition without 30 days notice.
| Vendor | Function | Posture |
|---|---|---|
| Anthropic Claude | Reasoning engine | API data is not used to train models under Anthropic’s commercial terms; retained only briefly per their data-retention policy. |
| Supabase | Database, realtime & auth | Dedicated project per environment; us-east-2; isolated schema not exposed to the public API; encrypted at rest; daily backups. |
| Stripe | Payments | Card data is collected and held by Stripe only — card numbers never touch our servers or our database. |
| Vercel | Application hosting | Environment isolation per deploy; production secrets held in a dedicated secrets manager, not the host UI. |
| Inngest | Background job durability | Per-job idempotency; dead-letter queue with an operator triage runbook so nothing is silently dropped. |
| Langfuse | Trace observability | Sensitive fields redacted at the boundary before any trace is shipped. |
| Vapi · ElevenLabs · Deepgram | Voice channel | Signed webhooks; recording disclosure is jurisdiction-aware; two-party consent honored. |
Nothing to hide. So come look.
Send your security team — we'll walk every gate, every isolation boundary, every checksum, and every sub-processor, with an MSA and DPA available before pilot. Or run a real lane and watch the record build. Free to use, your data isolated, carriers vetted, a human on every irreversible step, and proof you can verify on every load.
Found a vulnerability? We run responsible disclosure per /.well-known/security.txt — write security@thltrucking.com.