VIGILFleet.

Legal

Security Overview

A summary of the technical and organisational measures Synthax Codes SRL implements to protect Customer data processed by VIGILFleet. This document forms the reference basis for Section 5 (Security measures) of the Data Processing Agreement.

Effective date
24 April 2026
Version
1.0
Jurisdiction
European Union
Security contact
contact@synthax.codes
§ 1

Infrastructure

  • Production workloads are hosted within the European Union, within the territory of the European Economic Area.
  • Managed PostgreSQL with automated daily snapshots and point-in-time recovery covering a minimum of seven (7) days.
  • Object storage on AWS S3 (eu-central-1) with access restricted to time-limited, pre-signed URLs.
  • All public endpoints enforce TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled across all domains.
§ 2

Authentication

  • Customer dashboard authentication is scoped per Customer account, with short-lived access tokens (one hour) and rotating refresh tokens (seven days).
  • The driver mobile application uses device-bound authentication with optional credentials. Tokens are stored in the platform keychain (iOS) or hardware-backed keystore (Android).
  • Single Sign-On (OIDC / SAML) is available for Enterprise customers on request.
§ 3

Access control

  • Role-based access control with the principle of least privilege: administrator, manager, dispatcher, accounting.
  • Customer data is logically segregated per Customer account. Cross-account access is prevented by application-layer authorisation and database-level scoping.
  • Administrative access by Synthax Codes personnel is limited to named individuals, time-boxed, and fully logged.
§ 4

Data protection

  • Data encrypted in transit and at rest.
  • Integration credentials and sensitive configuration values are encrypted with a dedicated key, separate from application secrets.
  • Full audit log of administrative actions.
  • Exports of Customer data are available in JSON or CSV format at any time, in line with Article 20 GDPR.
§ 5

Application security

  • Parameterised SQL queries across the API. No string concatenation for database inputs.
  • Dependency scanning and automated alerts for known vulnerabilities in third-party libraries.
  • Secure software development lifecycle with peer code review required for every change to production.
  • Circuit breakers and rate limiting on outbound integrations.
§ 6

Operational security

  • Structured, centralised logging with retention controls.
  • On-call engineer rotation with alerting routed to a primary and secondary responder.
  • Background job processing with durable queues: no data loss on infrastructure restart.
  • Documented incident response playbook covering detection, containment, eradication, recovery, and post-incident review.
§ 7

Business continuity

  • Recovery Point Objective (RPO) of one (1) hour for production databases.
  • Recovery Time Objective (RTO) of four (4) hours for full service restoration following a regional outage.
  • Backup restoration is tested on a recurring basis as part of operational readiness.
§ 8

Responsible disclosure

Security researchers are invited to report any suspected vulnerability to contact@synthax.codes. We acknowledge receipt within two (2) business days and commit to providing a remediation timeline within ten (10) business days. We do not pursue legal action against researchers who act in good faith and within the scope of this policy.