Encryption everywhere
TLS 1.2+ in transit and AES-256 at rest for every document and database column.
Least-privilege access
Only named administrators can view carrier submissions. Row-Level Security is enforced at the database.
Signed document URLs
Uploaded W9s, MC authority, and insurance are private. Admin views generate single-use, 10-minute signed links.
Private storage
Carrier files live in a private bucket with no public read access. No file is reachable from the internet without an active admin session.
Hardened web app
Strict Content-Security-Policy, X-Frame-Options, Referrer-Policy, and HSTS-class headers on every response.
Input validation
Server-side schema validation on every form submission. No raw client data ever touches the database.
Responsible disclosure
Found a vulnerability? Email security@jwtrustworthy.com with reproduction steps. We acknowledge reports within 2 business days and do not pursue legal action against good-faith researchers.
