LegalSecurityDraft

Security

Expedion Inc. takes security seriously. This page summarises our current security posture for the marketing site and for the managed AI workforce service delivered under a written engagement agreement. Final language is under counsel review.

Our approach

Expedion is a managed AI workforce for freight forwarding operations. We handle operational data — shipment data, booking data, tracking data — under written engagement agreements that define the scope and duration of data handling. Our security posture is built around least-privilege access, encryption in transit and at rest, monitored infrastructure, and a written incident response process.

Security practices evolve. This page is the current summary; specific controls are described in greater detail in our customer-facing security documentation, which is available under NDA during the scoping phase of a pilot.

Infrastructure

Expedion operates on major United States cloud infrastructure with physical, network, and host-level controls maintained by the cloud provider. We use hardened baseline images, managed identity services, and a defined VPC topology that isolates production from development and staging.

Production systems are not accessible from the public internet except through authenticated load balancers and bastioned administrative paths. Administrative access requires multi-factor authentication and is logged centrally.

Data encryption

Data in transit between the browser, our services, and third-party integrations is encrypted using TLS 1.2 or higher. Data at rest in primary data stores is encrypted using industry-standard algorithms with keys managed through the cloud provider's key management service.

Backup data is encrypted with the same controls and is retained on a schedule aligned with the engagement agreement.

Access controls

Expedion enforces least-privilege access across production systems. Employee access is granted role-based, reviewed quarterly, and revoked on role change or departure. Production access requires multi-factor authentication, and sensitive actions are logged for audit.

Customer operational data is accessible only to the Expedion personnel and systems that need it to deliver the contracted service. Cross-customer access is not permitted without an explicit written agreement that authorises it.

Monitoring and logging

We maintain centralised logging of application, infrastructure, and access events. Logs are monitored for anomalous patterns — failed authentication attempts, privilege escalation, unusual data access — and alert thresholds are tuned to route to the on-call responder.

Logs are retained for the period required to investigate incidents and to meet audit obligations under the engagement agreement.

Vulnerability management

We subscribe to security advisories for the frameworks, libraries, and infrastructure we depend on, and apply security patches on a schedule commensurate with severity. Critical patches are applied within a defined window; lower-severity updates follow the regular release cycle.

We run automated dependency scanning on our codebase and container images. External penetration tests are scheduled at appropriate intervals; results and remediation status are available to production customers under NDA.

Incident response

We maintain a written incident response process covering detection, containment, investigation, remediation, and customer notification. Customers are notified within the timeframe specified in the engagement agreement following confirmation of a security incident affecting their data.

Post-incident, we conduct a written root-cause review and update controls to prevent recurrence.

Compliance

Our compliance roadmap is driven by the regulatory environment of the freight-forwarding customers we serve. Current-state compliance documentation is available under NDA during the scoping phase of a pilot or production engagement.

Responsible disclosure

If you believe you have identified a security vulnerability in Expedion, please email security@expedion.ai with a clear description, reproduction steps, and any supporting material. Do not publicly disclose the vulnerability or exploit it for any purpose other than verification. We will acknowledge your report and work with you on coordinated disclosure.

Contact

Security questions, disclosure reports, and customer due-diligence requests can be directed to security@expedion.ai or mailed to Expedion Inc., San Francisco, CA, United States.