Help Center Article
Data Security: Frequently Asked Questions
Frequently asked questions about Flexport's data security, including what data we collect and where Flexport user data is stored.
**What data does Flexport collect? **
Flexport retains all shipment, product, and file data collected over the course of a client's shipment's life cycle with Flexport.
The types of data include:
- Documents and files uploaded into the Flexport web app (e.g., Master / House Bill of Lading, Commercial Invoice, Packing List, 3461 Customs Release, 7501 Customs Entry)
- Shipment reference numbers and characteristics (e.g., Master / House Bill of Lading number, weight, volume, piece count, milestone dates, events, invoice costs)
- Product-related data (e.g., name, SKU, HS Code, regulatory information, cost, quantities, metrics across shipments)
- Security-related metadata (logins and locations)
In addition, as a licensed NVOCC and customs broker, Flexport complies with all relevant laws and regulations required by authorities related to retaining data.
Any documents and data that Flexport collects during a given shipment are added to each unique shipment record within Flexport’s platform.
Where is Flexport user data stored?
All Flexport user data is stored in the cloud using secure Amazon Web Services servers. We use both Amazon Simple Storage Service (S3) and Amazon RDS.
Do you make backups?
Amazon S3 automatically keeps copies of all files; we make backups of our cloud database every 3 hours, which are stored in S3.
Our database is real-time backed up in 4 different data centers; additionally, we take backups every hour which are stored on the server. We take a daily backup that's stored remotely.
Who can access the data?
Only Flexport engineers have access to the raw data in AWS. Client data can only be viewed or edited by Flexport employees as necessary to their roles. For instance, only brokers can edit information sent to U.S. Customs.
We work with a number of IT partners to support our internal operations. Our client data is maintained within our own platform, and we do not export proprietary client information to any other service.
What is Flexport’s password policy?
Employee passwords for internally accessing the Flexport platform must be changed every 90 days and can’t be reused. They must contain 8 characters, including a capital, a lower case, a number and a special character. This policy also applies to clients and partners.
Additionally, our team is required to use multi-factor authentication wherever possible, including email and work computers. This helps further prevent unauthorized access to client data.
What type of encryption do you use?
Our site functions only over SSL, so all communication is secure and encrypted end-to-end.
Have you ever had any data leaks?
Our platform’s security has never been breached by any outside party.
How do you test or audit your platform for security?
We have previously contracted with NCC Group, an industry-leading cyber security firm, to conduct periodic vulnerability testing. They performed full-scale audits to ensure that our servers and software are protected against potential security threats. We are proud to say that no vulnerabilities that could expose your data have ever been found.
Flexport is also a member of HackerOne, the world’s most rigorous vulnerability coordination platform, which offers bounties to white-hat hackers for uncovering its member companies’ security vulnerabilities. HackerOne was created by security leaders from Facebook, Microsoft, and Google.
Will you use client data for your own purposes?
No, we will not use client data for our own purposes. We use industry data and anonymized metadata to improve our platform and service offerings. As a licensed customs broker, it is illegal for us to use client data for any purposes other than the client's wishes.
Will you sell client data?
How long will you store our data? What happens to our data when we stop shipping?
We store your data in perpetuity unless you request otherwise.
Can we (clients) remove our data?
All data can be permanently deleted by request, as long as the request complies with the regulating authorities that govern Flexport business.
**Please confirm that all data related to our account remains our property. **
What happens if Flexport ceases to exist?
Flexport is venture-backed and well funded, so there is no risk that we will go out of business in the foreseeable future. That said, in the unlikely event of an unforeseen business closure, we will return or destroy clients' proprietary information.
What happens in case of a change of ownership (acquisition or merger)?
Data security and compliance with customs regulations will not change.
Read about our vulnerability testing with HackerOne here.