Skip to content
GoGo Engine
Acquire customers
How they find you and book.
Run your operation
What happens after they book.
Capture revenue
Money in, deposits handled, tax done.
See your data
Metrics that change tomorrow's decisions.
Reach customers
Email, SMS, and the support inbox.
Platform
Multi-everything. Built to scale with you.
Boats & Marine
Marinas, charters, jet skis, paddle.
Powersports
ATVs, side-by-sides, snowmobiles.
RV & Outdoor
RVs, campers, trailers, gear.
Equipment & Tool
Construction, party, AV, event.
Customer StoriesReal outcomes from operatorsGuides and PlaybooksGet more out of your fleetBlogField notes from operatorsAPI ReferenceBuild with the public APIChangelogWhat shipped this weekRoadmapWhat we are building next
Security & Trust

Built so the most paranoid person on the team can approve it.

We treat data security as a product feature, not a compliance checkbox. Here’s how it works.

View the DPA security.txtsecurity@gogoengine.com
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Customer-managed keys available on Enterprise.
Tenant isolation
Every row tagged with a tenant_id, every query gated by JWT-scoped row-level security policies. No cross-tenant data leakage by design.
SOC 2 trajectory
Pursuing SOC 2 Type 2. We’ll share progress and controls under NDA when requested.
Signed webhooks
HMAC-SHA-256 signatures on every webhook, with replay-protection nonces and configurable rotation.
SSO + RBAC
Google Workspace, Microsoft, Okta, generic SAML. Role-based access control with custom roles on Enterprise.
Audit log
Every write action logged, tamper-evident, exportable to your SIEM (Splunk, Datadog, S3).
Backups & DR
Continuous WAL replication via Supabase. Geographically separated backups. Recovery procedures tested.
Global edge with US data
Edge-served via Vercel, data stored in the US. EU-resident option available on request.
Vulnerability management
Dependabot for supply-chain monitoring. Open vulnerability disclosure via security.txt.
Privacy by design
Minimum-data collection. Customer data is yours, never trained on, never sold.
How we think about it

The three rules we’ve never broken.

No customer data exfiltration. Ever. No tenant data crossing tenant boundaries. Ever. No production access without a logged, approved reason.

01

Defense in depth

Six independent layers, auth, tenant scoping, RLS, allow-list policies, runtime guards, and audit. Any one breaking shouldn’t leak data.

02

Least privilege, by default

Engineers don’t have production data access. Admin actions require break-glass approval, logged, alerted, time-bounded.

03

Trust through verification

Pen-tests, bug bounty, audit log, public status page, signed webhooks. Everything we say can be verified.

Common questions

Security questions, answered.

How does tenant isolation actually work?+
Every row in every table carries a tenant_id column. Postgres row-level security policies enforce that any query made by a user can only return rows where tenant_id matches the requesting user’s JWT. Bypassing this requires bypassing both the application and the database, in that order.
Where is data stored?+
Production data is stored in US East with continuous replication to a second US region for disaster recovery. EU and APAC residency are available for enterprise customers; ask sales.
Do you have a SOC 2 report?+
We’re in the middle of a Type 2 audit window. Until the report is issued, we share point-in-time control evidence under NDA.
How do you handle vulnerabilities reported externally?+
We accept reports at security@gogoengine.com or via /.well-known/security.txt. Triaged within 24 hours. Critical CVEs patched within 72 hours; everything else within 14 days.
What happens if I delete my data?+
Customer-initiated deletes mark data for hard deletion within 35 days. Backups containing deleted data are purged on the same schedule.
Can I bring my own keys?+
Yes, on Scale plans we support customer-managed encryption keys via AWS KMS or GCP KMS.