New: Arrow AI Compliance now bridges McLeod, TMW, and Alvys — keep your TMS, add prevention. See how →
TRUST CENTER · FMCSA · SECURITY POSTURE

Your DOT number rides on this. Here is how we protect it.

Arrow holds the records FMCSA can subpoena and the data your insurer prices on. Here is exactly how we handle that responsibility.

§395.20
FMCSA self-certified ELD
SOC 2
SOC 2 · program underway
AES-256
Encryption at rest and in transit
7yr
FMCSA-grade retention
THE POSTURE

Six commitments.
Documented.

FMCSA-registered ELD

Self-certified and registered under §395.20 and Appendix A. Registration ID available to prospects on request; verified in every DOT audit our design partners have been through.

REGISTRATION RECORD · ON REQUEST

SOC 2 program

Security, availability, and confidentiality controls built to the SOC 2 standard; independent audit in progress. Posture summary available under NDA. Independent penetration tests twice yearly; findings tracked to closure.

REPORT UNDER NDA · PEN-TESTED 2×/YR

Hash-chained audit trails

Every log, alert, acknowledgment, and outcome is hash-chained per §395.22(i), retained seven years, and exportable by you at any time — including after you leave.

§395.22(i) · 7-YEAR RETENTION

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest, per-tenant isolation. Driver PII — CDL numbers, medical records — is field-level encrypted with separate key management.

TLS 1.3 · AES-256 · FIELD-LEVEL PII

Your data is yours

We do not sell fleet, driver, or telematics data — to brokers, insurers, or anyone else. Access is role-scoped and every access is logged.

NO DATA RESALE · FULL ACCESS LOGGING

Offline-safe by design

The ELD keeps recording on-device through any outage — a 49,000-point buffer means a cloud incident is never a roadside problem or a compliance gap.

49,000-POINT ON-DEVICE BUFFER
AI TRANSPARENCY

No black boxes in a
compliance product.

In a product where the government can subpoena the records, “the model said so” is not an answer. Three rules govern every AI surface in Arrow.

Every flag is citedEach alert names the rule it applies (§395.3, §391.45, §396.17…), the data behind the projection, and the math. Verifiable by hand.
The AI recommends. People decide.Arrow never dispatches a driver, cancels a load, or edits a log. Your team acts in your systems; Arrow verifies and records the outcome.
Logs are never AI-generatedDuty status comes from the engine bus and the driver’s certification, exactly as FMCSA requires. The AI reads records; it does not write them.
Every alert · rule cited · evidence attached
Arrow Compliance P0 · ACT WITHIN 10 MIN
to: dispatch@demofleet.example · 12:02 PM
Reyes (0412) will violate the 14-hour rule at 1:58 PM MT.

He is 96 minutes from Cheyenne with 38 minutes of legal duty time left. Continuing to the receiver is infeasible.

RECOMMENDED · DO THIS IN YOUR TMS
1. Reassign load L-4471 to Okafor (0287) — 22 mi out, 6h 40m available.
2. Route Reyes to TA Cheyenne (Exit 401) for his 10-hour reset.
3. Reply DONE — we verify against ELD data and close the loop.
EVIDENCE ATTACHED: GPS trace · HOS log · §395.3(a)(2) · Audit ID #A-88231
FOR YOUR IT TEAM

The questions IT asks.

US-based cloud infrastructure across multiple availability zones with real-time replication. All FMCSA-relevant records stay within US jurisdiction.
OAuth 2.0 or scoped API keys, read-only by default. The AI Compliance bridge requests the minimum scopes needed — read access to HOS, vehicle, and load data. Write access is never required.
You get a complete export — logs, DQF documents, alert history, audit trail — in standard formats (CSV, PDF, JSON). We retain FMCSA-mandated records for the required period, then purge on schedule.
SAML and OIDC SSO on enterprise plans, SCIM provisioning, role-based access control on all plans, and complete audit logging of every user action in the portal.
Yes — security@arrowlane.ai with a one-business-day triage SLA. We credit researchers with permission.

Need the full
security packet?

SOC 2 report, pen-test summary, data processing agreement, and the FMCSA registration record — one email away.

SOC 2 UNDER NDA · DPA ON REQUEST · SECURITY@ARROWLANE.AI