Rovora
IntegrationsPricingFAQBlog
Sign inStart free trial
Legal · Security

Security at Rovora

Fleets trust Rovora with their drivers’ documents and their weekly money. Here is how we protect it — the practices we follow and the architecture behind them.

Last updated 8 June 2026EU-hosted · GDPR-alignedQuestions? privacy@rovora.eu

On this page

Our approachEU hosting and infrastructureEncryptionTenant isolationAccess controlAuditing and monitoringPayment securityBackups and resilienceYour part in keeping data safeIncident responseResponsible disclosure

Our approach

Security is built into how Rovora is designed, not bolted on. We host in the EU, encrypt data in transit and at rest, isolate every fleet’s data from every other fleet, and give operators fine-grained control over who can see what. Below is a plain-English summary of the controls we rely on.

EU hosting and infrastructure

Rovora runs on managed cloud infrastructure located in the European Union, on providers that maintain recognised security certifications (such as ISO 27001 and SOC 2) for their platforms. Keeping data in the EU keeps it within the protections of the GDPR.

Our database, authentication and file storage are provided by Supabase, hosted in the EU. We patch and update our dependencies and platform regularly.

Encryption

  • In transit. All traffic between your browser or the driver app and Rovora is encrypted with TLS (HTTPS). We do not serve the application over unencrypted connections.
  • At rest. Data stored in our database and document storage is encrypted at rest by our infrastructure providers.
  • Passwords. Passwords are never stored in plain text. They are hashed and salted by our authentication layer, so even we cannot read them.

Tenant isolation

Rovora is multi-tenant: many fleets share the platform, but each fleet’s data is logically isolated. Every record is tagged to its organisation, and database-level row-level security policies enforce that a user can only ever read or write data belonging to a fleet they are a member of. This is enforced in the database itself, not just in application code, so one fleet can never see another’s drivers, documents or finances.

Access control

  • Role-based access. Users are owners/admins, staff or drivers, and each role sees only what it needs. Drivers see their own shifts, earnings and documents — not the whole fleet.
  • Per-fleet permissions. Operators can fine-tune what staff members are allowed to do within their fleet.
  • Least privilege internally. Access to production systems is limited to the small number of staff who need it, and is used only to operate and support the Service.

Auditing and monitoring

  • Audit logs. Significant actions inside a fleet are recorded in an audit log, so operators can see who changed what and when.
  • Abuse protection. Sensitive flows such as password resets are rate-limited to defend against brute-force and abuse.
  • Error monitoring. We use Sentry to detect and diagnose faults quickly, configured to avoid capturing unnecessary personal data.

Payment security

All card payments are handled by Stripe, a PCI-DSS Level 1 certified payment provider. Card details are entered directly with Stripe and never touch Rovora’s servers — we only ever store a customer reference and your subscription status.

Backups and resilience

Our database is backed up regularly by our infrastructure provider so that data can be restored in the event of an incident. We rely on managed, highly-available infrastructure to keep the Service running.

Your part in keeping data safe

Security is shared. We ask that you:

  • use a strong, unique password and never share accounts;
  • give each staff member and driver their own login, with the least access they need;
  • remove access promptly when someone leaves; and
  • tell us straight away at security@rovora.eu if you suspect a compromised account.

Incident response

If a personal-data breach occurs that is likely to affect you, we will act promptly to contain it and will notify affected customers and, where required, the relevant supervisory authority (in Malta, the IDPC) within the timelines the GDPR requires.

Responsible disclosure

Found a vulnerability? We welcome reports from security researchers. Please email security@rovora.eu with the details and steps to reproduce, and give us a reasonable time to investigate and fix before disclosing publicly. We will not pursue good-faith research that respects our users’ privacy and avoids data destruction or service disruption.

Rovora

Fleet management for small taxi & cab operators. Drivers, vehicles, shifts and settlements — in one clean dashboard.

Built for taxi & cab fleets of 5–50 vehicles
EU-hosted · data encrypted
Product
FeaturesIntegrationsPricingFAQStart free trialSign in
Features
Vehicle managementMaintenance & servicesDamage & repairsLive driver trackingRosters & shifts
Money & admin
Weekly settlementsFlexible payAdjustmentsFinancials & bookkeepingPlans & billing
Integrations
UberBoltFreeNowStripeRequest an integration
Company
AboutBlogContact usCareersHelp & supportBook a demo

Get fleet tips in your inbox

The occasional product update and operator playbook — no spam.

Subscribe
Free driver appiOS & Android · coming soon
© 2026 Rovora Fleet. All rights reserved.PrivacyTermsSecurityMade for fleets that move.