FMCSA registered third-party filer
Registration in progress
The credential that makes "filed directly with FMCSA" literally true.
Cypress is registering directly with FMCSA as a third-party filer so every URS, BOC-3, MCS-150, and UCR filing goes to the regulator on our credential — not resold through a wholesale aggregator. The moment the credential lands, this page surfaces the registration ID and the date of issue.
21-day vetting-window guarantee
Every authority filing has a 21-day FMCSA vetting deadline. Cypress's portal counts down to that deadline on a tightening cadence — T-21, T-14, T-10, T-5, T-2, T-0 — and the SAFER poller converges 24h → 6h → 1h as T-0 approaches. If a required document is missing, the alarm fires while there's still time to fix it.
The mechanism
SAFER poller cadence converges 24h → 6h → 1h. Six fixed ticks at T-21 / T-14 / T-10 / T-5 / T-2 / T-0. BOC-3 name-match guard runs byte-identical legal_name comparison end-to-end so the filing never goes to the wire with a mismatched entity name.
Refund on NOT_AUTHORIZED
If FMCSA marks your authority NOT_AUTHORIZED at the end of vetting, Cypress refunds your service fee. The refund covers what we charged for the work — every pass-through government fee was already paid to a regulator at cost and is not refundable from the regulator's side. We disclose both halves up front so there are no surprises.
The mechanism
Refund engine triggers on NOT_AUTHORIZED at T-0. Service-fee rows (passthrough=false in the ledger) are refunded automatically; pass-through rows (passthrough=true) carry the regulator's no-refund disclosure on the receipt at the moment of payment.
Pass-through honesty pledge
Every government fee is shown itemized on your receipt with a tooltip that names the regulator collecting it. We never mark up a pass-through. We never relabel a government fee as a Cypress requirement. Our service fee is the only line we charge for; the rest goes to the agency at the price the agency charges.
The mechanism
Line-item ledger model enforces a NOT-NULL boolean passthrough flag on every money row. Receipts render pass-through rows separately from service rows and disclose the receiving regulator inline. Pricing engine rejects any draft that hides a pass-through inside a Cypress-labeled bundle.
ADR-CP-002 · CP-043
FMCSA
Registered third-party filer (direct to the regulator)
Cypress files directly with FMCSA — not through a wholesale resale layer. USDOT, MC, BOC-3, UCR, MCS-150 all post to the regulator on Cypress's own filer credential. No intermediary holds your data; no aggregator marks up the government fee.
The mechanism
Adapters in lib/integrations/<vendor>/ ride a *_MODE env flag. Production mode flips only when the regulator-side credential is live; stub mode never ships to a paying customer. The customer-facing visibility constants gate the marketing surface from any stubbed adapter.
Affiliation disclosed; parent never surfaced
Cypress Authority Services LLC is affiliated with Dispatch Rail Logistics LLC and Northridge Risk Group LLC. Sharing your information with one affiliated company does not automatically share it with another. The Cypress→Northridge insurance hand-off only fires when you click it. The Cypress→Dispatch Rail dispatching hand-off works the same way. The parent organization is not customer-facing.
The mechanism
Customer record IDs are namespaced per brand. Cross-brand record-sharing requires an explicit consent event, captured in the audit log with timestamp, IP, and the exact opt-in copy presented. See /affiliations for the full list.
Data security posture
AES
SSN, ITIN, and EIN encrypted at rest; every access logged
Personally identifying numbers — SSN for sole-prop authority, ITIN for non-citizen owners, EIN for the entity — are encrypted at rest with AES-256 and are never visible in admin tooling. Every read of a PII field writes an entry to the access log; the customer can request the access record for their own file at any time.
The mechanism
Field-level encryption on PII columns in the ledger DB. KMS-backed key rotation. Application-layer access policy denies bulk PII export; the only legitimate read path is the per-customer detail view, and each view writes to an immutable audit table.
Read the architecture
Cypress's architecture-decision records — ADR-CY-004 on pass-through fees, ADR-CY-005 on
the vetting-window guarantee, ADR-CP-004 on affiliation disclosure — are the source of
truth for what we built and why. They're available to our customers on request.