HaulTrack

HaulTrack

Trust Center

This Trust Center explains how HaulTrack protects account, organization, and jobsite operational data. It is written for contractors, general contractors, and IT reviewers evaluating HaulTrack as a vendor.

Last updated: July 7, 2026. For privacy practices, see our Privacy Policy. For service terms, see our User Agreement.

What we store

HaulTrack stores the data needed to run haul and loader operations on a jobsite:

  • Account identity (name, email, authentication identifiers from Firebase Auth or linked sign-in providers).
  • Organization and jobsite membership, roles, and configuration.
  • Operational records such as haul entries, equipment details, time and stone analytics summaries, and related jobsite activity you enter.
  • Security and abuse signals used to protect the Service (for example, honeypot events and lockdown configuration for platform operators).

We do not sell personal information. Server secrets such as Twilio credentials and SMTP passwords are never shipped in the web client bundle.

Access control

  • Users authenticate with Firebase Authentication (email/password and supported social providers).
  • Jobsite roles (operator, foreman, general foreman, superintendent, project manager, and related roles) are enforced in Firestore and Storage security rules, not only in the browser UI.
  • Privileged platform actions (developer console operations such as impersonation or password-reset link generation) run as authenticated Cloud Functions and require a developer claim or the designated bootstrap administrator.
  • Client role routing is for user experience. Authorization decisions that matter are enforced on the data plane and in callable Functions.

App Check and abuse defenses

  • Firebase App Check (reCAPTCHA Enterprise) can be enabled for production to reduce unauthorized client access to backend resources.
  • Decoy admin surfaces and honeypot collections help detect probing and credential stuffing attempts.
  • Dynamic lockdown levels can reduce write access during an active incident while preserving recovery paths for platform operators.
  • Input threat detection runs on both client and Functions paths for high-risk free-text fields.

Infrastructure

HaulTrack is hosted on Google Firebase (Authentication, Firestore, Cloud Storage, Cloud Functions, and Hosting). Data residency and subprocessors follow Google Cloud / Firebase practices for the configured project region. Transactional security SMS, when enabled, is delivered through Twilio. Alert email uses authenticated SMTP with secrets stored in Google Secret Manager.

Security testing

We maintain an automated security testing program covering secret scanning, client bundle checks, Firestore and Storage rules tests, callable authorization smoke tests, dependency audits, and accessibility-oriented UI checks. An independent penetration test and formal WCAG audit are planned as the product matures for larger buyers. Ask us for the current status of those engagements when you evaluate HaulTrack.

Vulnerability disclosure

If you believe you have found a security issue in HaulTrack, email 315sindiana@gmail.com with a clear description, steps to reproduce, and impact. Please do not publicly disclose details until we have had a reasonable chance to investigate and remediate. Do not perform destructive testing against production (data deletion, denial-of-service, or spam against honeypot endpoints).

Researchers may also consult /.well-known/security.txt.

Compliance roadmap

  • Independent penetration test with an executive letter for vendor questionnaires.
  • Formal WCAG 2.2 Level AA audit and VPAT/ACR for accessibility-conscious buyers.
  • SOC 2 Type I (then Type II) when recurring revenue and customer demand justify the engagement.

We do not display certification badges we have not earned. When a report or letter is available under NDA, we will share it with qualified prospects on request.