ParcelPilot
  • Home
  • Features
  • About
  • Pricing
  • Integrations
  • Contact
  • Blog
Login Request a demo

Security Overview

Last reviewed: 14 July 2026.

Purpose

This page provides a high-level overview of how Parcel Pilot helps protect customer information and operates the service securely.

It is intended to explain our approach in plain English for customers, prospective customers, reviewers, and partners. Security practices continue to evolve, no control eliminates all risk, and this page is a general overview rather than a contractual service-level commitment or certification statement.

Security principles

Parcel Pilot is designed and operated around a set of practical security principles, including:

  • authenticated access to application features
  • role-based permissions and application-level access checks
  • tenant and client separation within a multi-tenant platform
  • audit logging for important authentication, administrative, and operational actions
  • protected storage for application-managed secrets
  • privacy, retention, and deletion workflows that support customer and legal obligations

These controls are intended to support secure day-to-day operation of the service while helping customers manage their own compliance and operational responsibilities.

Shared responsibility model

Parcel Pilot is responsible for the security of the platform, including core application controls such as authentication, access control, tenant-aware scoping, audit logging, secret protection, and retention tooling.

Customers remain responsible for the users they authorise, the permissions they assign, the data they submit, the lawful use of that data, the connected services they choose to enable, and the review of their own operational, fulfilment, billing, shipping, and integration outcomes.

Authentication

Parcel Pilot uses authenticated access for administrative and operational routes.

Current authentication controls include:

  • password-based authentication
  • password reset flows
  • email verification where applicable
  • temporary login throttling after repeated failed sign-in attempts
  • authenticated access requirements on protected routes such as admin, billing, and operational pages

Parcel Pilot also records selected authentication events, including successful and failed sign-ins, sign-outs, and temporary login lockouts.

Role-based access and tenant isolation

Parcel Pilot uses role-based permissions and application-level access checks.

Access to administrative and protected functions is limited by the current user's role and, where relevant, by tenant or client context.

Parcel Pilot is a multi-tenant platform. Access to operational data is scoped by tenant and, where relevant, by client. In practice, this helps limit users to the organisations and customer accounts they are authorised to access.

Where appropriate, users can also be locked to a specific client context.

Encryption in transit

Parcel Pilot's public service is delivered over HTTPS to help protect information transmitted between users, Parcel Pilot, and connected services.

Session and consent-related cookies are configured to support secure browser handling, including HTTP-only protections where appropriate and same-site controls intended to reduce cross-site abuse.

Like any internet-connected service, no method of transmission or network storage is completely risk-free.

Encryption at rest and secret management

Parcel Pilot protects several categories of application-managed secrets at rest where they need to remain recoverable by the application.

This includes:

  • encrypted ecommerce and marketplace integration credentials
  • encrypted accounting integration credentials and refresh-token fields
  • encrypted carrier credential payloads
  • encrypted outbound webhook secrets
  • encrypted public-access token material where a separate lookup value is used
  • hashed user passwords

Ecommerce, marketplace, accounting, and carrier credentials managed by Parcel Pilot are encrypted at rest where they need to remain recoverable by the application. User passwords are hashed rather than encrypted.

Where secure lookup is required, Parcel Pilot uses patterns such as hashing or separating lookup identifiers from protected secret values.

This overview does not claim that every database field, file, or infrastructure disk is encrypted at rest in every environment.

Password security

User passwords are hashed at rest.

Password rules enforced by the application require:

  • a minimum length of 12 characters
  • mixed case
  • numbers
  • symbols
  • compromised-password screening through Laravel's password rule support

Login attempts are rate limited to reduce repeated password-guessing attempts.

Parcel Pilot does not currently require multi-factor authentication for every user account, and it does not universally enforce password expiry or scheduled password rotation.

Audit logging

Parcel Pilot includes structured audit logging for selected authentication, administrative, and operational events.

Audit records can include tenant, client, actor, request, IP, and user-agent metadata where relevant to the event being recorded.

Secret-bearing fields are redacted before data is written to the audit trail.

Integration activity is also tracked separately for inbound and outbound processing. These records store metadata and payload hashes rather than full raw payload copies by default.

File and document security

Client Discovery documents are stored outside the publicly accessible web directory and are delivered through controlled application routes.

Backups and recovery

Parcel Pilot maintains backup and recovery procedures intended to support service restoration and continuity.

Backup retention and recovery arrangements may vary by environment and service configuration.

This overview does not publish exact backup frequencies, restore-time targets, recovery-point targets, or service continuity guarantees.

Data retention and deletion

Parcel Pilot includes retention and deletion support for different data types and workflows.

Examples include:

  • order anonymisation workflows
  • scheduled deletion workflows
  • targeted redaction for retained Amazon recipient personal data
  • consent-cookie expiry controls
  • protected lookup patterns for selected public-access workflows

Retention periods and deletion timing can vary depending on the feature, customer workflow, legal obligations, and service configuration.

Customers remain responsible for applying appropriate retention policies to the data they place into the platform and for meeting their own legal obligations.

Privacy and data protection

Parcel Pilot supports privacy-related workflows and customer data-management processes across the service.

This includes:

  • controller and processor responsibilities depending on the service context
  • Shopify GDPR webhook handling
  • retention and deletion support for relevant workflows
  • consent-gated public analytics on marketing and other public layouts
  • tokenised public workflows that use protected lookup patterns

For more detail, see our Privacy Policy and Cookie Policy.

Infrastructure and hosting

Parcel Pilot's primary production application is currently hosted on dedicated infrastructure in the United Kingdom.

Some specialist service providers and customer-selected integrations may process information in other locations where required to provide their services or where chosen by the customer.

While our current production hosting is UK-based, we do not guarantee that every present or future deployment or every third-party provider will process data exclusively within the United Kingdom.

Third-party providers

Parcel Pilot uses selected third-party providers to support areas such as hosting, billing, email delivery, analytics, and integration connectivity.

These providers are distinct from customer-selected connected services that a customer may choose to enable as part of their own commerce, carrier, accounting, or operational workflows.

For more detail, see our Subprocessors page.

Responsible disclosure

Security concerns can currently be reported to support@parcelpilot.co.uk. We review credible reports and take appropriate action based on their nature and severity.

Security contact

Security questions or reports can be sent to support@parcelpilot.co.uk.

Document information

  • Document: Security Overview
  • Owner: InsideOut Ideas Limited
  • Applies to: Parcel Pilot website and software platform
  • Jurisdiction: England and Wales
  • Last reviewed: 14 July 2026
ParcelPilot

ParcelPilot is a modern 3PL platform for warehousing, picking, shipping, billing, and integrations.

Company

  • About
  • Pricing
  • Integrations overview
  • Ecommerce integrations
  • Carrier integrations
  • Blog
  • Contact
  • Help Centre

Legal

  • Terms and Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Overview
  • Subprocessors

© 2026 ParcelPilot. All rights reserved.

ParcelPilot is owned by InsideOut Ideas Limited.

Your cookie choices

We use essential cookies to keep Parcel Pilot secure and working. With your permission, we also use analytics cookies to understand how visitors use our website and improve it. Read our Cookie Policy.

Cookie preferences

Choose whether Parcel Pilot can use analytics cookies on public pages. Essential cookies stay on because they keep the site secure and working properly.

Essential cookies

These cookies support security, sessions, form protection, and core site functionality. They are always enabled and cannot be switched off here.

Analytics cookies

Google Analytics is used to understand how visitors use the public website so we can improve it. Analytics cookies stay off unless you turn them on.