RouteBalanceSign in
Trust & Security

Security by design.

Your route data is your business data. Here’s how we protect it.

Payments

Stripe Connect Standard. Funds never touch us.

Customer payment links use Stripe Connect Standard. When a customer pays, funds flow directly into your connected Stripe account. Route Balance never receives, holds, or has access to payment funds. Card data is handled entirely by Stripe under their PCI-DSS compliance program.

  • Stripe Connect Standard — your account, your funds.
  • No card numbers stored anywhere in Route Balance systems.
  • Disputes and chargebacks managed through your Stripe dashboard.
Tenant Isolation

Postgres Row Level Security. Every query checks your identity.

Every database table in Route Balance is protected by PostgreSQL Row Level Security. All queries — whether they come from the app, the AI briefing worker, or an API call — enforce a current_client_id() check. One dealer's data is invisible to another at the database level, not just the application level.

  • RLS on every table — enforced at the database layer.
  • current_client_id() is SECURITY DEFINER — users cannot spoof it.
  • Audit trail records every write with timestamp and user.
Audit Trail

Every approval. Every dollar. Every recon flag.

Route Balance logs every action that changes route data: collection entries, promise logs, import batches, and approval flags. Nothing is edited without a record. The audit trail is append-only — existing entries cannot be modified.

Observability

Sentry error monitoring. Structured logs.

Every exception in Route Balance is captured by Sentry with full stack traces, scrubbed of payment data before transmission. Application logs use structured JSON, enabling alerting on anomalous patterns (unexpected error rates, auth failures, unusual API volumes).

Data Residency

Supabase US (us-east-1).

All Route Balance data is stored in Supabase-hosted PostgreSQL in the United States (us-east-1 region). Backups are retained for 7 days by default.

Compliance Posture

We're honest about where we are.

Route Balance is in pilot. We follow NACHA Originator rules for ACH-adjacent operations. ACH auto-debit for external dealers is gated until our counsel review completes — we won't turn on payment flows we haven't reviewed. We don't make compliance claims we can't back up.

  • NACHA Originator rules applied to all ACH-adjacent workflows.
  • External ACH auto-debit gated on counsel review.
  • SECURITY.md in repository tracks open items.
Questions? Get in touch →Privacy Policy