Security at 20-2 Dispatch
Your freight data is the backbone of your business. We treat it that way. Here's exactly how 20-2 Dispatch protects your information.
Encrypted Secrets and Protected Storage
High-sensitivity application secrets, such as integration tokens, are encrypted with AES-256-GCM before database storage. Platform data, uploaded files, and backups are stored on managed infrastructure providers that offer encryption at rest and in transit, with tenant-scoped access controls enforced by the application.
Mandatory Two-Factor Authentication (2FA)
Every user on every login is required to verify their identity with a one-time code sent to their email — not just a password. This means even if someone steals a password, they still can't get into your account. This isn't optional — it's enforced on every login, every time.
Multi-Tenant Data Isolation
Your data is completely separated from every other brokerage on the platform. Every database query is scoped to your organization — there is no way for another company's users to see your loads, carriers, customers, or financial data.
Role-Based Access Control
Not every user on your team needs access to everything. Owners, admins, dispatchers, sales reps, and back-office staff each see only what they need. We check permissions before every action, every page load, and every API call.
Audit Logging
Every important action in the system is recorded with a timestamp and the name of the person who did it — who changed a rate, who sent an invoice, who invited a user, who updated settings. If something changes, you can trace exactly who did it and when.
B+ Mozilla Observatory Score
Mozilla Observatory is an independent, third-party security scanner run by the makers of Firefox. It tests websites for common vulnerabilities and security best practices. 20-2 Dispatch scores a B+ (80/100). Most competing TMS platforms in the freight industry score a D or F on the same test.
HSTS with Preload
HTTP Strict Transport Security ensures that your browser always connects to 20-2 Dispatch over an encrypted HTTPS connection — never unencrypted HTTP. The 'preload' designation means this protection is built into your browser before you even visit our site.
Content Security Policy (CSP)
A Content Security Policy tells your browser exactly which scripts, styles, and connections are allowed to run on our pages. This blocks cross-site scripting attacks — where a malicious script tries to run inside our application to steal your data.
Webhook Signature Verification
When external services like Stripe for billing or Resend for email send data to our system, we verify every incoming message using cryptographic signatures. This prevents attackers from sending fake data to our platform pretending to be a legitimate service.
Database-Backed Rate Limiting
Every public-facing endpoint in the system has rate limits that prevent abuse — whether it's a brute-force password attack, an automated bot, or a script hitting our system too fast. These limits are enforced at the database level so they persist across server restarts.
Structured Logging & Error Monitoring
Every server operation generates a structured log entry with consistent fields — timestamp, severity, user, organization, and action details. We use Sentry — an industry-standard error tracking platform — to detect and diagnose issues in real time. If something breaks, we know within seconds.
Environment Validation
Every time our application deploys, it validates all critical configuration variables before accepting any traffic. If a required security key, database connection, or encryption credential is missing, the application refuses to start. Misconfigured deployments never reach production.
Token Hashing (SHA-256)
Carrier portal links and magic link tokens are stored as one-way cryptographic hashes — not as plain text. Even if our database were compromised, an attacker couldn't reverse-engineer the original tokens to access carrier portals or tender links.
Infrastructure Partners
20-2 Dispatch runs on enterprise-grade infrastructure. Vercel (SOC 2, ISO 27001) hosts our application. Neon PostgreSQL (SOC 2) manages our database. Stripe (PCI DSS Level 1) processes all billing. Your data never touches an unaudited system.