Architecture
Multi-tenant by default, single-tenant on request. AWS-hosted with regional isolation (US, EU, APAC). Hardened images, infrastructure-as-code, and minimal blast-radius service boundaries.
SECURITY
Security designed for regulated logistics.
DGM One ships freight-grade audit evidence and the controls procurement teams require — single-tenant options, BYOK, immutable logs, and regulatory data lineage that's unique to dangerous goods.
SOC 2 Type II in progressISO 27001 roadmapGDPR + CCPAHIPAA-ready
SECURITY PILLARS
A control surface designed for regulated logistics.
DGM One ships freight-grade audit evidence and the controls procurement teams require. The dangerous-goods specifics — regulatory data lineage, AI governance for classification — are not bolted on. They're foundational.
Encryption
AES-256 at rest with KMS-managed keys. TLS 1.3 in transit, HSTS preloaded. Customer-managed encryption keys (BYOK) available for single-tenant deployments.
Identity & Access
SSO via SAML 2.0 and OIDC. SCIM 2.0 provisioning. Role-based access control at module + shipment scope. Just-in-time elevation for break-glass operations.
Secure SDLC
PR-required code review, branch protection, signed commits. SAST + DAST + dependency scanning in CI. Quarterly threat modeling, annual third-party pen test.
People & Operations
Background-checked staff, security training on hire and annually. Endpoint MDM, hardware-keyed admin access, principle-of-least-privilege production access.
Incident Response
24/7 on-call, defined SEV scale, customer notification SLAs in the DPA. Post-incident reports published when materially impacted.
Business Continuity
RPO ≤ 1 hour, RTO ≤ 4 hours. Daily encrypted backups with geo-redundant storage. DR tested annually.
Data Residency
Choose US, EU, or APAC residency. EU-only customer data stays in eu-west-1 unless contractually agreed otherwise.
Regulatory Data Lineage
Unique to dangerous goods: every classification, variation, and reference DGR/IMDG/ADR version applied to a shipment is captured in the audit log. Reproduce any historical decision exactly.
AI Governance
Customer data is not used to train base models. Human-in-the-loop required for classification finalization. Model versions, prompts, and inputs/outputs are logged per decision.
Vulnerability Disclosure
Coordinated disclosure program at security.dgmone.com/vdp. Critical issues acknowledged within 24 hours; safe-harbor for researchers.
Audit Logs
Tamper-evident logs with cryptographic chaining. SIEM-friendly export (JSON, CEF). Configurable retention per customer agreement.
DATA RESIDENCY
Choose where your data lives.
EU customers stay in EU-only infrastructure unless you say otherwise. APAC residency available on request.
United States
AWS us-east-1 + us-west-2 (primary)European Union
AWS eu-west-1 (Ireland)Asia Pacific
AWS ap-southeast-1 (Singapore) — on requestOPERATIONAL CONTROLS
The list IT and security will ask for.
- Single tenant deployments available for enterprise customers
- AES-256 at rest, TLS 1.3 in transit
- SSO via SAML 2.0 + OIDC; SCIM 2.0 for provisioning
- Role-based access control (RBAC) at module + shipment scope
- Tamper-evident audit logs with cryptographic chain
- Backups: daily encrypted snapshots, 30-day retention, geo-redundant
- Customer-managed encryption keys (BYOK) on request
- Annual third-party penetration testing
- Quarterly internal access reviews
- Vulnerability disclosure program at security.dgmone.com/vdp
REPORT A VULNERABILITY
Responsible disclosure welcome.
Found something? Email security@dgmone.com or use our coordinated disclosure program. Critical issues acknowledged within 24 hours. Safe-harbor for good-faith researchers.
GET A WALKTHROUGH
See DGM One on your own shipments.
Bring a real shipper's declaration. We'll show you classification, document generation, and audit export live — in under 30 minutes.