// Trust & Security Report
Route App Inc.
Post-purchase platform for e-commerce merchants, providing AI-powered package protection, shipment tracking, and returns/exchanges management. Integrates with Shopify, BigCommerce, Salesforce Commerce Cloud, and other platforms.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on route.com“Route successfully completed its first SOC 2 Type 1 audit of the Route platform. The audit was completed through Moss Adams in accordance with SSAE auditing standards developed by the American Institute of Public Accountants (AICPA).”
> Show 5 unconfirmed / not-held certifications
source: route.comNo public evidence of SOC 2 Type 2 audit completion. Homepage and searches reference only Type 1.
source: route.comNo public evidence of ISO 27001 certification found after targeted site searches and general web searches.
source: route.comHomepage displays 'GDPR Compliant' badge but no formal GDPR certification or compliance audit referenced. DPA available, privacy policy exists addressing GDPR data subject rights and processing.
source: route.comNo public evidence of HIPAA compliance or certification. Route is a post-purchase e-commerce platform, not a healthcare provider or business associate.
source: route.comHomepage displays 'CCPA/CPRA Compliant' badge. Privacy policy acknowledges California consumer rights and data handling obligations under CCPA/CPRA but no formal certification or audit referenced.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
AWS (US-based hosting with multi-region availability zones mentioned)
No public information found regarding whether Route trains its AI models on customer package protection, tracking, or claims data. Privacy policy and DPA do not explicitly address AI training practices. This is a notable gap given the vendor's emphasis on 'AI-powered' solutions on their homepage.
// Security controls
Encryption in Transit
TLS, SSH, or IPSec for sensitive information over untrusted networks
go.route.comEncryption at Rest
AES encryption with volume-level, object-level, and application-layer encryption for sensitive data
go.route.comVulnerability Management
Automated internal and external vulnerability scans minimum monthly; identified vulnerabilities assigned risk scores
go.route.comAccess Controls
Production access restricted via firewalls, VPNs, VPCs; physical security controls include proximity badge scanners
go.route.comBackup & Disaster Recovery
Critical data backed up minimum daily; critical resources deployed across multiple AWS availability zones
go.route.comResponsible Disclosure
Responsible Disclosure Policy published on merchant help center
merchants.help.route.com// Products & data scope
data: Order data, customer identity, shipping/package information, claims data
Protects against lost, stolen, or damaged packages; Route handles claim resolution and reimbursement
data: Package location, carrier data, customer engagement metrics
Patented visual tracking experience; claims to reduce WISMO tickets by 75%
data: Return requests, item details, shipping labels, customer communications
Claims 42% reduction in refunds, 20% reduction in support tickets
// What to watch
- NO-EVIDENCE: No public evidence of ISO 27001 certification. The homepage COMPLIANCE section lists only SOC 2, GDPR, and CCPA/CPRA; Route does not display an ISO 27001 badge or claim the certification anywhere found
- NO-EVIDENCE: No public evidence of HIPAA compliance. Route is a post-purchase e-commerce platform, not a healthcare provider or business associate; the homepage does not display a HIPAA badge or claim HIPAA anywhere found
- CERT-AMBIGUITY: Homepage 'GDPR Compliant' and 'CCPA/CPRA Compliant' badges reflect data-handling frameworks, not third-party certifications. Route addresses these obligations (DPA, privacy policy) but no formal certification or audit is referenced
- MISSING-DETAIL: SOC 2 Type 1 completed but no evidence of progression to Type 2 or current audit status
- MISSING-DETAIL: AI training practices not disclosed. Given 'AI-powered' positioning and sensitive data (claims, identity verification), lack of transparency on training data usage is a notable gap
- MISSING-CERT: No ISO 27001, HIPAA, SOC 2 Type 2, or PCI DSS found in public documentation. None of these are claimed by the vendor; their absence is noted, not an over-claim
- IDENTITY-CONFIRMED: Route.com (route.com domain) confirmed as correct vendor via searches, news articles, and product documentation
// At a glance
Pricing model
SaaS per-merchant; offers cash-back incentive model for shoppers
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Route App Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
route.com