OverTheRoad.ai
OverTheRoad.ai
Free Trial

Security & Vulnerability Disclosure

Last updated: April 5, 2026

1. Our Commitment

The security of our users' data is a top priority. We welcome and appreciate responsible security research. If you believe you have found a security vulnerability in OverTheRoad.ai, we encourage you to report it to us so we can address it promptly.

2. How to Report

Email your findings to security@overtheroad.ai. Please include:

  • A description of the vulnerability and its potential impact.
  • Detailed steps to reproduce the issue, including URLs, request/response data, or screenshots.
  • Your assessment of severity (critical, high, medium, low).
  • Your contact information so we can follow up.

3. Our Response

  • We will acknowledge your report within 72 hours.
  • We will provide an initial assessment and expected timeline for a fix within 7 business days.
  • We will notify you when the vulnerability has been resolved.
  • We will credit you publicly (with your permission) once the fix is deployed.

4. Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith to avoid privacy violations, data destruction, and service disruption.
  • Report vulnerabilities to us before disclosing them publicly.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
  • Do not access, modify, or delete other users' data.
  • Do not perform denial-of-service attacks, social engineering, or phishing against our users or staff.

5. Scope

The following are in scope:

  • The OverTheRoad.ai web application (app.overtheroad.ai)
  • Our API endpoints
  • Authentication and authorization flows
  • Data exposure or access control issues

The following are out of scope:

  • Third-party services we use (Clerk, Stripe, Plaid, etc.) — report those to the respective providers.
  • Attacks requiring physical access to a user's device.
  • Social engineering attacks against our team or users.
  • Denial-of-service attacks.
  • Automated scanning that generates excessive traffic.

6. Security Practices

  • All connections are encrypted with TLS 1.2+.
  • Authentication is handled by Clerk with support for multi-factor authentication.
  • Payment data is processed by Stripe — we never store credit card numbers.
  • Bank credentials are handled by Plaid — we never receive or store bank login information.
  • Database access is restricted and encrypted at rest.
  • All uploaded documents are stored in encrypted S3-compatible storage with owner-only access controls.
  • AI features (Co-Driver) process queries via Anthropic's API over encrypted connections. Conversations are not stored on our servers. Anthropic retains prompts for up to 30 days per their data retention policy and does not use your data for model training.
  • Partner Stripe Connect account identifiers and payout data are encrypted at rest. Partners' bank account details are stored by Stripe, not on our servers.

7. Data Breach Response

In the event of a data breach that compromises personal information, we will:

  • Notify affected users within 30 days of discovery via email and in-app notification.
  • Disclose the nature of the breach, the types of data affected, and the remediation steps being taken.
  • Comply with all applicable state breach notification laws (which may require shorter notification periods in some jurisdictions).
  • Provide guidance on protective measures you can take.

8. Safe Harbor Disclosure Window

Security researchers who report vulnerabilities through our responsible disclosure process should allow 90 days from the date we confirm a fix has been deployed before any public disclosure. We will work collaboratively with researchers to establish a reasonable disclosure timeline.

9. Contact

Security reports: security@overtheroad.ai

General support: support@overtheroad.ai