// Trust & Security Report

    Route App Inc. logo

    Route App Inc.

    Post-purchase platform for e-commerce merchants, providing AI-powered package protection, shipment tracking, and returns/exchanges management. Integrates with Shopify, BigCommerce, Salesforce Commerce Cloud, and other platforms.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    Route successfully completed its first SOC 2 Type 1 audit of the Route platform. The audit was completed through Moss Adams in accordance with SSAE auditing standards developed by the American Institute of Public Accountants (AICPA).

    Verify on route.com
    > Show 5 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 Type 2 audit completion. Homepage and searches reference only Type 1.

    source: route.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found after targeted site searches and general web searches.

    source: route.com
    GDPR
    NOT CONFIRMED

    Homepage displays 'GDPR Compliant' badge but no formal GDPR certification or compliance audit referenced. DPA available, privacy policy exists addressing GDPR data subject rights and processing.

    source: route.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or certification. Route is a post-purchase e-commerce platform, not a healthcare provider or business associate.

    source: route.com
    CCPA/CPRA
    NOT CONFIRMED

    Homepage displays 'CCPA/CPRA Compliant' badge. Privacy policy acknowledges California consumer rights and data handling obligations under CCPA/CPRA but no formal certification or audit referenced.

    source: route.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    AWS (US-based hosting with multi-region availability zones mentioned)

    No public information found regarding whether Route trains its AI models on customer package protection, tracking, or claims data. Privacy policy and DPA do not explicitly address AI training practices. This is a notable gap given the vendor's emphasis on 'AI-powered' solutions on their homepage.

    // Security controls

    Encryption in Transit

    TLS, SSH, or IPSec for sensitive information over untrusted networks

    go.route.com

    Encryption at Rest

    AES encryption with volume-level, object-level, and application-layer encryption for sensitive data

    go.route.com

    Vulnerability Management

    Automated internal and external vulnerability scans minimum monthly; identified vulnerabilities assigned risk scores

    go.route.com

    Penetration Testing

    Annual system penetration tests conducted by external security firm

    go.route.com

    Access Controls

    Production access restricted via firewalls, VPNs, VPCs; physical security controls include proximity badge scanners

    go.route.com

    Backup & Disaster Recovery

    Critical data backed up minimum daily; critical resources deployed across multiple AWS availability zones

    go.route.com

    Responsible Disclosure

    Responsible Disclosure Policy published on merchant help center

    merchants.help.route.com

    // Products & data scope

    Package ProtectionInsurance/Protection

    data: Order data, customer identity, shipping/package information, claims data

    Protects against lost, stolen, or damaged packages; Route handles claim resolution and reimbursement

    Visual TrackingLogistics/Tracking

    data: Package location, carrier data, customer engagement metrics

    Patented visual tracking experience; claims to reduce WISMO tickets by 75%

    Returns & ExchangesFulfillment

    data: Return requests, item details, shipping labels, customer communications

    Claims 42% reduction in refunds, 20% reduction in support tickets

    // What to watch

    • NO-EVIDENCE: No public evidence of ISO 27001 certification. The homepage COMPLIANCE section lists only SOC 2, GDPR, and CCPA/CPRA; Route does not display an ISO 27001 badge or claim the certification anywhere found
    • NO-EVIDENCE: No public evidence of HIPAA compliance. Route is a post-purchase e-commerce platform, not a healthcare provider or business associate; the homepage does not display a HIPAA badge or claim HIPAA anywhere found
    • CERT-AMBIGUITY: Homepage 'GDPR Compliant' and 'CCPA/CPRA Compliant' badges reflect data-handling frameworks, not third-party certifications. Route addresses these obligations (DPA, privacy policy) but no formal certification or audit is referenced
    • MISSING-DETAIL: SOC 2 Type 1 completed but no evidence of progression to Type 2 or current audit status
    • MISSING-DETAIL: AI training practices not disclosed. Given 'AI-powered' positioning and sensitive data (claims, identity verification), lack of transparency on training data usage is a notable gap
    • MISSING-CERT: No ISO 27001, HIPAA, SOC 2 Type 2, or PCI DSS found in public documentation. None of these are claimed by the vendor; their absence is noted, not an over-claim
    • IDENTITY-CONFIRMED: Route.com (route.com domain) confirmed as correct vendor via searches, news articles, and product documentation

    // At a glance

    Pricing model

    SaaS per-merchant; offers cash-back incentive model for shoppers

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Route App Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    route.com

    > Browse all vendor trust reports