SeaPillar is designed for regulated maritime operations. Tenant isolation, RBAC, and audit trails are not optional features — they are foundational.
Security is enforced at the database, API, and UI layers. Every action is attributable. Every boundary is validated.
Every query is scoped to your organization at the database layer. Data from one tenant cannot reach another — enforced at the query level, not just the application layer.
Eight roles across three portals — operations team (Agency Admin, Operator, Customs Officer, Warehouse, Viewer), plus dedicated Vessel Owner and Captain portals. Permissions are enforced server-side on every request.
Every status change, approval, and update is logged with the acting user, timestamp, and a record of what changed. Logs cannot be altered or deleted.
Data is encrypted in transit (TLS 1.3) and at rest. Credentials are never stored in plain text. File uploads are validated for MIME type and content before storage.
HSTS, CSP, X-Frame-Options, and Permissions-Policy are enforced on every response. Input is sanitized at all trust boundaries before reaching the database.
Generate audit packs, custody chain exports, and GDNs with integrity hashes on demand. Structured for P&I club submissions and customs authority review.
We pursue third-party validation to give your compliance team confidence beyond our own assertions.
We are actively working toward SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria.
Independent penetration testing of our infrastructure and application layer is part of our security programme. Findings are remediated on a fixed timeline.
Our incident response procedure includes a commitment to notify affected customers within 24 hours of a confirmed security incident.
SeaPillar is built and operated for EU maritime operators. GDPR compliance is treated as a baseline requirement, not an afterthought.
All data is stored and processed within the European Union. No transfers to third countries without adequate safeguards.
A GDPR-compliant DPA is available for all customers. Contact us to request one before or during onboarding.
SeaPillar collects operational data required for the custody function. Personal data (captain identity, operator attribution) is limited to what is necessary for the audit trail.
Custody records are retained for the contractual period. Data deletion requests are processed in accordance with GDPR Article 17 and applicable maritime record-keeping requirements.
We provide detailed security documentation and architecture overviews for operators doing formal vendor evaluation. Contact us before or during your review process.