Security

MAT MAD LTD treats customer data security as an operational responsibility. HauliK is designed around authenticated access, company-level data separation, role-based permissions and server-side handling for privileged actions.

We do not hold ISO 27001, SOC 2 or Cyber Essentials certification at this time, and we do not claim DVSA approval or certification.

• Vercel is used for the web application, CDN and server/edge infrastructure.
• Supabase is used for database, authentication and file storage.
• Stripe is used for subscription billing and hosted payment workflows.
• Email, push notification, app-store and mobile build providers support transactional and mobile workflows.
• Provider regions, transfer mechanisms, backup settings and configuration may vary by service configuration and provider availability.

• HauliK uses roles such as owner, admin, dispatcher, mechanic and driver.
• The platform is designed to separate company data between operator accounts.
• Database row-level security is used where applicable, alongside server-side session validation and company context checks.
• Privileged service-role access is intended for server-side operations only and should never be exposed to browser clients.
• Audit logging is applied to key platform events and is reviewed as the service evolves.

HauliK is designed to use controlled/private storage for operational evidence such as check photos, POD photos, defect images, tacho records and documents, with server-side signed access for managed evidence references where implemented.

Production storage access is managed through configured Supabase project settings and application access controls. The downloads bucket is intentionally used for public downloads.

• Authentication is handled through Supabase Auth and server-side session validation.
• Password reset uses verified email flows.
• Invitation links are intended to be controlled and time-limited where implemented.
• Operators are responsible for assigning least-privilege roles and removing drivers, staff or contractors who leave.

HauliK has a documented Disaster Recovery and Incident Response Plan and completed an initial tabletop incident-response exercise on 3 June 2026.

HauliK relies on managed-provider backup and recovery capabilities where available. Customers with strict continuity or regulatory needs should export and retain their own required records.

Public summary: Disaster Recovery and Incident Response.

• Use strong, unique passwords and MFA where available.
• Limit owner/admin roles and review permissions regularly.
• Remove leavers promptly and rotate shared or suspected credentials.
• Keep driver devices and mobile apps updated.
• Do not use the mobile app while driving or where unsafe or illegal.
• Export and retain legally required records independently where required.

If you believe you have discovered a vulnerability, email support [at] haulik.co.uk with a clear description. Do not access, modify, delete or disclose other customers' data.

We do not currently operate a formal bug bounty programme.