Data Processing & Security Overview

This overview applies to information processed in connection with our corporate website and the platforms operated by Cargavia Technologies Inc., including Cargavia, CargaExchange, and Mandivo. Individual platforms may publish additional security documentation specific to their services.

Our services are operated on established cloud and platform-as-a-service providers that offer recognized infrastructure security controls. Production workloads run in managed environments separated from development and test environments.

Network architecture is designed to limit the surface area exposed to the public internet. Internal services communicate through controlled networks, with public access concentrated on a small set of hardened entry points.

Data exchanged between client devices and our services is encrypted in transit using industry-standard TLS. Sensitive internal service-to-service traffic is encrypted in transit as well, in line with provider best practices.

Access to production systems and to data processed through our platforms is role-based and granted on a need-to-know basis. Specifically, we apply:

• Identity-based authentication for production tooling, with multi-factor authentication on accounts that can access sensitive systems.
• Least-privilege access policies — administrative roles are scoped narrowly and reviewed periodically.
• Separation of duties between development, deployment, and operational support where appropriate.
• Just-in-time or break-glass access procedures for sensitive operations, with audit trails.

We maintain operational logs and monitoring across our services to support reliability, security, and incident response. This includes:

• Application and infrastructure logging for production services.
• Health, performance, and error monitoring with alerting on abnormal patterns.
• Security-relevant event logging — including authentication, privileged access, and suspicious activity indicators.

Logs are retained for periods consistent with operational and legal requirements and are stored with access controls appropriate to their sensitivity.

We operate on managed cloud platforms that provide redundant storage, durable persistence, and recoverable backups for production data. Backup, restore, and continuity procedures are designed to allow recovery from common failure modes with reasonable timeframes appropriate to the affected service.

We do not guarantee any specific recovery time or recovery point objective unless separately committed to in a written agreement.

We use third-party providers for cloud infrastructure, communications (including WhatsApp Business API providers), analytics, security, model-provider services, and related operations. We evaluate vendors based on the sensitivity of the data they handle and the criticality of the service they provide, with attention to:

• The vendor's data-handling commitments and contractual protections.
• The vendor's security practices and operational track record.
• Any regulatory or jurisdictional considerations relevant to the engagement.

We design our products to collect and retain the data needed to operate the service and meet legal requirements. Where features rely on third-party providers — including AI model providers — we configure those integrations to minimize unnecessary data exposure and avoid sending sensitive content where it is not required.

We do not use customer content from our platforms to train general-purpose foundation models.

We maintain an internal process to detect, triage, contain, and recover from security incidents. Where an incident affecting personal information rises to a level requiring notification under applicable law or under a contractual commitment, we will notify affected parties consistent with that requirement.

We perform post-incident reviews on material incidents and apply lessons learned to improve our controls.

Personnel with access to sensitive systems are subject to confidentiality obligations and receive guidance on information-security responsibilities relevant to their role. Access is revoked promptly when no longer needed.

Our security posture is reviewed and refined over time. We invest in tooling, training, and process improvements as our platforms grow and as threats evolve. We expect this page to evolve along with our practices.

This page is informational and not a contractual commitment. Our concrete obligations regarding processing, security, and data protection are set out in the agreements that govern your use of our platforms and, where applicable, in product-specific data processing terms.

We do not claim, on this page, any certification or audit attestation we have not formally obtained.

Security questions, partner reviews, and vulnerability reports can be sent to security@cargavia.com. For general legal or privacy questions, see our Privacy Policy or contact legal@cargavia.com.