AutoVizerz was designed with enterprise-grade security from day one — not bolted on after the fact. Every dealership that runs on our platform inherits a security posture that meets the highest standards in automotive, financial services, and data privacy.
Measurable commitments, not marketing language. Every metric below is contractually backed.
Third-party audits and independent certifications validate what we promise. Our compliance posture is not self-reported — it is externally verified.
AutoVizerz undergoes annual SOC 2 Type II audits covering all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Reports available to enterprise customers under NDA.
As a platform handling consumer financial data in F&I transactions, AutoVizerz fully complies with GLBA Safeguards Rule requirements — including administrative, technical, and physical safeguards for nonpublic personal financial information.
Full data subject rights management — access, deletion, portability, and opt-out — built into the platform architecture. Data Processing Agreements (DPAs) available for all customers. Cross-border transfer mechanisms documented.
Payment processing flows within AutoVizerz are scoped and isolated per PCI DSS requirements. Cardholder data never touches the AutoVizerz application layer — all payment tokenization is handled by certified PCI DSS Level 1 processors.
AutoVizerz maintains a continuously updated regulatory matrix covering all 50 states — titling requirements, dealer licensing rules, Red Flag Rule compliance, OFAC screening, and state-specific F&I disclosure requirements are embedded natively in every transaction.
External penetration tests are conducted at minimum annually by certified third-party firms using OWASP, PTES, and NIST frameworks. Critical and high findings are remediated within 30 days. Summaries available to enterprise customers.
Security is not a single feature — it is an architectural discipline. AutoVizerz enforces protection at every level of the data lifecycle.
All data stored within AutoVizerz is encrypted using AES-256 at rest. All data transmitted between your browser, mobile devices, and our infrastructure uses TLS 1.3 — the most current and secure transport protocol available. Older TLS versions (1.0, 1.1) and all SSL variants are disabled and rejected at the load balancer level.
Every dealership and dealer group operates in a logically isolated tenant environment. Database schemas, storage buckets, and API access are scoped per tenant by design — not by access control rules alone. A misconfiguration in one tenant's permissions cannot expose another tenant's data.
Automated backups run continuously with point-in-time recovery (PITR) available for up to 35 days. All critical data is replicated synchronously across two geographically separate availability zones. Full disaster recovery tests are conducted quarterly with documented RTO of < 4 hours and RPO of < 4 hours.
Retention policies are configurable per data type within regulatory minimums. Upon contract termination, customer data is cryptographically erased within 30 days using NIST 800-88 compliant methods. A signed Certificate of Destruction is provided upon request. AutoVizerz never retains dealership operational data beyond contractual terms.
AutoVizerz enforces a zero-trust, least-privilege access model across every role, department, and dealership location.
Granular permissions are defined by role — not by individual user configuration. A service technician cannot see F&I gross profit. A salesperson cannot view customer credit applications. Finance managers cannot modify service repair orders. Permissions are enforced at the API layer, not just the UI.
MFA is enforced for all user accounts — it cannot be disabled by dealership administrators. Supported second factors include TOTP authenticator apps (Google Authenticator, Authy), hardware security keys (FIDO2/WebAuthn), and SMS as a fallback for non-sensitive roles.
Enterprise customers can federate identity via SAML 2.0 or OpenID Connect (OIDC) — connecting AutoVizerz to their existing identity provider (Microsoft Entra ID, Okta, Google Workspace). Employee offboarding in your IdP immediately revokes all AutoVizerz access.
Administrator accounts can optionally restrict access to approved IP ranges or geographic regions. Suspicious login attempts from unrecognized devices or locations trigger step-up authentication challenges and security team alerts automatically.
Sessions are time-limited with configurable idle timeouts (default: 30 minutes). All sessions are cryptographically signed with short-lived JWT tokens. Concurrent session limits are enforced per role. Administrative sessions require re-authentication for sensitive operations.
AutoVizerz internal engineers access production systems only through a dedicated privileged access workstation (PAW) environment with just-in-time (JIT) provisioning. Zero standing admin access to production data. All privileged sessions are recorded and reviewed.
AutoVizerz runs on enterprise-grade cloud infrastructure with defense-in-depth implemented at the network, compute, and application levels.
AutoVizerz is the only DMS built by someone who ran a dealership and lived through compliance failures firsthand. Every regulatory requirement is embedded as a workflow constraint — not a checklist to remember.
AutoVizerz maintains a complete, tamper-evident record of every action taken within the platform — providing the accountability layer that regulators, auditors, and owners demand.
Every create, read, update, and delete operation — including who performed it, from what IP address and device, and the exact timestamp — is recorded in an append-only log that cannot be altered, even by system administrators.
Every vehicle deal has a complete chain-of-custody log from first contact through title transfer and funding. Every number change, every signature, every approval — attributed to a specific employee with a timestamp. Perfect for audits, disputes, and compliance reviews.
Unusual patterns — large data exports, bulk record access outside normal hours, repeated failed authentications, permission escalation attempts — trigger real-time alerts to dealership administrators and the AutoVizerz security team simultaneously.
Audit reports can be generated and exported in multiple formats (PDF, CSV, JSON) for any time period, department, or user. Reports meet the format requirements of federal and state regulatory examination procedures.
Online audit logs are retained for 12 months for immediate access. Archival retention extends to 7 years to meet automotive industry regulatory requirements. All archived logs remain searchable and exportable.
Each audit log entry is cryptographically chained to the previous entry using hash-linking. Any tampering with a historical log entry is immediately detectable by verifying the chain — providing forensic-grade evidence integrity.
Security incidents happen to every organization. What separates trustworthy vendors from untrustworthy ones is whether they have a practiced, transparent response process.
Automated alerting from SIEM, WAF, runtime security, and anomaly detection notifies the security team in real-time. On-call security engineers are paged within 5 minutes of a P1 alert 24/7/365.
Affected systems are isolated immediately. Compromised credentials are revoked. Traffic from suspicious sources is blocked. The scope of the incident is bounded before investigation begins.
If a security incident has the potential to affect customer data, affected dealerships are notified within 72 hours per GDPR requirements — and typically within 24 hours in practice. Notifications include scope, potential impact, and steps taken.
Root cause is identified and eliminated. Systems are restored from known-good state. All restoration steps are documented. Customers are updated throughout the process via a dedicated status page.
Every P1 and P2 incident is followed by a formal post-mortem within 5 business days. Findings and remediation steps are shared with affected customers. Systemic fixes are tracked to completion.
AutoVizerz has a clear and absolute position on data privacy: dealership data and consumer data processed through our platform belongs exclusively to our customers.
AutoVizerz does not sell, rent, license, or provide dealership operational data or consumer personally identifiable information (PII) to any third party for commercial purposes. This is a contractual commitment, not a policy that can change without notice.
AutoVizerz AI models that serve your dealership are trained on aggregated, de-identified operational data only when explicitly permitted by the customer. Your deal structures, customer lists, and pricing strategies are never used to train shared models.
A comprehensive DPA is available and executed with every customer. The DPA defines the categories of data processed, the purposes of processing, sub-processor relationships, and the rights and obligations of both parties under GDPR and CCPA.
AutoVizerz provides built-in tools for dealers to respond to consumer DSR requests — access, deletion, portability, and correction — within the regulatory timeframes required by CCPA (45 days) and GDPR (30 days).
A complete list of all third-party sub-processors (cloud providers, analytics tools, communication services) is maintained and provided to customers. Changes to the sub-processor list are communicated 30 days in advance.
Data residency options are available for customers with geographic data sovereignty requirements. Standard Contractual Clauses (SCCs) are in place for any cross-border transfers. Data is not transferred to jurisdictions without adequate protection.
Technical controls only go so far. AutoVizerz invests as heavily in security culture, training, and process discipline as it does in technology.
All AutoVizerz employees complete security awareness training upon hire and annually thereafter. Phishing simulation exercises are conducted quarterly. Employees who fail phishing tests receive immediate remediation training.
All employees with access to production systems or customer data undergo background screening prior to hire. Contractors with data access are subject to the same screening requirements and sign comprehensive data handling agreements.
A comprehensive security policy library — including acceptable use, data classification, incident response, change management, and vendor risk management — is maintained, reviewed annually, and acknowledged by all employees.
Critical operational tasks require separation of duties. No single engineer can independently deploy code to production, access production data, and modify audit logs. Four-eyes principles are enforced for all sensitive operations.
Our security team is available to answer detailed questions, provide our SOC 2 Type II report (under NDA), review architecture diagrams, and participate in your vendor security assessment process.