Arrow holds the records FMCSA can subpoena and the data your insurer prices on. Here is exactly how we handle that responsibility.
Self-certified and registered under §395.20 and Appendix A. Registration ID available to prospects on request; verified in every DOT audit our design partners have been through.
Security, availability, and confidentiality controls built to the SOC 2 standard; independent audit in progress. Posture summary available under NDA. Independent penetration tests twice yearly; findings tracked to closure.
Every log, alert, acknowledgment, and outcome is hash-chained per §395.22(i), retained seven years, and exportable by you at any time — including after you leave.
TLS 1.3 in transit, AES-256 at rest, per-tenant isolation. Driver PII — CDL numbers, medical records — is field-level encrypted with separate key management.
We do not sell fleet, driver, or telematics data — to brokers, insurers, or anyone else. Access is role-scoped and every access is logged.
The ELD keeps recording on-device through any outage — a 49,000-point buffer means a cloud incident is never a roadside problem or a compliance gap.
In a product where the government can subpoena the records, “the model said so” is not an answer. Three rules govern every AI surface in Arrow.
He is 96 minutes from Cheyenne with 38 minutes of legal duty time left. Continuing to the receiver is infeasible.
SOC 2 report, pen-test summary, data processing agreement, and the FMCSA registration record — one email away.