Exaltis
Trust

Security

How we protect operator and rider data, and how security researchers can responsibly disclose vulnerabilities to us.

Last updated: May 7, 2026

Draft notice. This page describes our intended security practices and is provided to satisfy footer links during launch. Specific certifications, attestations, and legal commitments must be reviewed and confirmed before being relied upon.

Our Approach

Exaltis dispatches and bills real-world transportation, which means our customers depend on the platform being available, accurate, and confidential. We follow generally accepted industry standards to protect Exaltis systems and the data entrusted to us, and we work to continuously improve those controls.

Data Protection

  • Encryption in transit. All traffic to the Exaltis platform is served over TLS.
  • Encryption at rest. Customer data stored in our managed databases and object storage is encrypted at rest.
  • Payment data. Payment-card information is handled by Stripe, a PCI-DSS Level 1 service provider. Exaltis does not store full card numbers.
  • Backups. Production data is backed up on a regular schedule with integrity checks.

Access Control

  • Production access is limited to a small set of authorized personnel and is granted on a least-privilege basis.
  • Administrative access requires multi-factor authentication.
  • Customer accounts support strong passwords and we are working to expand multi-factor and SSO options.

Infrastructure and Operations

  • Exaltis is hosted on reputable cloud infrastructure providers with their own physical and operational security controls.
  • Code changes go through review and automated testing before being deployed.
  • We log application and access events to support investigation of suspicious activity.

Incident Response

If we detect or are notified of a security incident affecting customer data, we investigate, contain the issue, and notify affected customers in accordance with applicable law.

Responsible Disclosure

We welcome reports from security researchers and operate a responsible disclosure program. If you believe you have found a vulnerability in the Exaltis platform, please email security@exaltis.org with a clear description, steps to reproduce, and any supporting proof of concept.

Scope

In scope: the production exaltis.org website and authenticated Exaltis application, including subdomains and API endpoints we operate. Out of scope: third-party services we integrate with (please report those to the third party), and our marketing or static content sites that do not handle customer data.

Please do not

  • Conduct denial-of-service or resource-exhaustion testing.
  • Send phishing, social-engineering, or unsolicited communications to Exaltis staff or customers.
  • Run automated scans that materially degrade the Services.
  • Test third-party integrations on our behalf.
  • Access, modify, exfiltrate, or destroy data beyond the minimum necessary to demonstrate the vulnerability.
  • Establish persistence or pivot to other systems.

Please do

  • Stop testing as soon as you have demonstrated the issue.
  • Report the issue promptly and give us a reasonable opportunity to remediate before any public disclosure.
  • Securely delete any non-public Exaltis data you accessed during research after reporting.

Safe harbor

We will not pursue legal action against researchers who act in good faith and adhere to this policy. If a third party initiates legal action against you for activity that complied with this policy, we will make this position known.

Contact

Security reports: security@exaltis.org
General questions: support@exaltis.org