Security at ParcelPilot

Last updated: November 2, 2025

We take security seriously and appreciate the security research community’s efforts in keeping our platform safe.

Responsible Disclosure

If you believe you’ve found a security vulnerability in ParcelPilot, please let us know. We appreciate your help in keeping our users safe.

Report Security Issues:
security@parcelpilot.com
Please do not report security vulnerabilities through public GitHub issues or social media.

What to Include in Your Report

  • Description: Detailed description of the vulnerability
  • Steps to Reproduce: Clear, step-by-step instructions to reproduce the issue
  • Impact: Your assessment of the vulnerability’s potential impact
  • Affected Components: URLs, API endpoints, or features affected
  • Evidence: Screenshots, videos, or POC code (if applicable)

Our Response Timeline

Within 24 hours

We’ll acknowledge receipt of your report

Within 72 hours

We’ll provide an initial assessment and timeline for resolution

Within 90 days

We aim to resolve critical vulnerabilities within 90 days

Safe Harbor

ParcelPilot supports safe harbor for security researchers who:

  • Make a good faith effort to avoid privacy violations and data destruction
  • Do not exploit a security issue for personal gain
  • Report vulnerabilities promptly
  • Keep vulnerability details confidential until we’ve resolved it

If you follow these guidelines, we will not pursue legal action against you for security research activities.

Out of Scope

The following issues are generally considered out of scope:

  • Denial of Service (DoS) attacks
  • Social engineering or phishing
  • Physical testing against ParcelPilot property or offices
  • Reports from automated scanners without validation
  • Missing security headers without demonstrable impact
  • SSL/TLS configuration issues on third-party services we don’t control

Our Security Measures

Data Protection

  • End-to-end encryption for sensitive data
  • Row-Level Security (RLS) for multi-tenant isolation
  • Regular automated backups
  • PII access audit logging

Infrastructure

  • Hosted on Google Cloud Platform
  • DDoS protection and WAF
  • Automated security patching
  • 24/7 infrastructure monitoring

Application Security

  • OAuth 2.0 authentication
  • Rate limiting on all endpoints
  • IP allowlisting for admin operations
  • CSRF protection

Compliance

  • TCPA/CTIA consent tracking
  • DNC suppression enforcement
  • GDPR-compliant data handling
  • Regular security audits

Questions? Contact us at security@parcelpilot.com