FleetMark

Security & data protection

Your audit trail, kept safe.

Compliance records only matter if they hold up — and that starts with how they're stored. Here's how we protect your data, in plain English, with no claims we can't stand behind.

How we protect your data

Built to keep records intact.

UK & EU hosted

Your data lives in UK and EU regions on a UK-GDPR-aligned cloud (Supabase, EU region). It doesn't leave the UK/EU in the ordinary course of running the service; where data transits an edge network we rely on standard contractual clauses.

Encrypted in transit and at rest

Every connection is TLS-encrypted, and your records, photos and signatures are encrypted at rest on disk. Passwords are stored as hashes — never in plain text.

Row-level access control

Access is enforced at the database with row-level security (RLS): every record is scoped to one organisation, so one customer can never read another's data. Multi-tenancy is isolated by design, not by convention.

Locked, immutable records

A submitted walkaround is sealed the moment the driver taps submit — it can't be edited or backdated. Each record is hashed (SHA-256) at submission, so any later tampering would break the hash and show on the PDF. Records are retained for 15 months by default (the DVSA minimum), longer on request.

Automatic backups

The database is backed up automatically and continuously, so a record submitted on a phone in the yard is durably stored and recoverable — not sitting on a clipboard in the rain.

PCI-DSS payments via Stripe

Card payments are handled entirely by Stripe, a PCI-DSS Level 1 provider. FleetMark never sees or stores card numbers.

Built on certified infrastructure

Standing on a hardened stack.

FleetMark is built on SOC 2 Type II / ISO 27001 infrastructure (Supabase and Vercel), with PCI-DSS payments handled by Stripe. To be clear: those are our suppliers' certifications, which our platform inherits — not certificates FleetMark holds in its own name. We think that distinction matters, so we state it plainly.

  • ISO 27001 / SOC 2 (infrastructure)

    Inherited from our hosting — Supabase & Vercel, not a FleetMark-held certificate.

  • PCI-DSS via Stripe

    Card payments are handled entirely by Stripe; we never touch card data.

  • Working towards Cyber Essentials

    Assessment underway.

  • ICO registrationPlanned

What we don't claim — yet

The honest small print.

We'd rather under-claim than oversell. So, for the record:

  • We do nothold our own SOC 2, ISO 27001 or PCI-DSS certificate — we borrow our infrastructure providers', as described above.
  • ICO registration is in progress— not yet complete.
  • We are working towardsCyber Essentials; we haven't been certified yet.

For how we collect and handle data, see our privacy policy. A data processing agreement (DPA) is available on request — email hello@fleetmark.co.uk.

Prove your fleet's compliant — by tomorrow morning.

Set up in a day. Add your vehicles, print your QR codes, and watch the first checks come in.

Sign upBook a demo