Security & Subprocessors
Last updated: June 8, 2026
AutoDealer.io is designed for multi-tenant dealership operations that include customer, deal, document, billing, and website data.
This overview summarizes current security practices. It is not a certification, audit report, warranty, or substitute for a dealership's own Safeguards Rule program, risk assessment, vendor review, incident response, insurance, employee training, device security, or legal obligations. No security program can guarantee that unauthorized access, data loss, service interruption, or misuse will never occur.
Platform safeguards
- Tenant isolation: dealer-scoped records are separated by dealer ID and protected by application authorization and PostgreSQL row-level security.
- Role-based access: users receive roles and permissions that limit access to dealership functions and data.
- Authentication controls: the platform supports secure password handling, email verification, MFA, recovery codes, session invalidation, and account deactivation workflows.
- Audit trails: important administrative, user, AI, billing, support, and record-changing actions are logged for review.
- Encryption: traffic is encrypted in transit. Selected sensitive fields, such as MFA secrets and configured PII fields, are encrypted at rest at the application layer.
- Secure file handling: direct-upload flows verify ownership before issuing upload URLs, and stored files are categorized by sensitivity.
- Observability controls: diagnostic tooling is configured to avoid automatically attaching cookies, headers, and known sensitive fields where practical.
- AI boundaries: public AI tools are limited to public dealer website data and published inventory; dealer AI write actions use proposal and approval workflows.
Infrastructure providers
The Service uses established providers for hosting, database, storage, CDN, billing, email, AI, monitoring, and job orchestration. Some providers are used across the core platform. Others are used only when a feature is configured, enabled, or deployed in a particular environment. We are not responsible for a provider or integration outside our reasonable control except to the extent expressly required by a written agreement with you.
| Provider | Purpose | Data categories |
|---|---|---|
| Vercel | Application hosting, deployment, edge delivery | Account, usage, logs, hosted website traffic |
| Neon | PostgreSQL database hosting | Application records and tenant data |
| Cloudflare | Images, R2 object storage, CDN, DNS, security services | Files, vehicle photos, website assets, traffic metadata |
| Stripe | Subscription billing, checkout, invoices, payment method handling | Billing contacts, subscription data, payment metadata |
| Resend | Transactional email delivery | Email addresses, message metadata, message content |
| Anthropic | AI model processing for dealer and public AI features | Prompts, scoped context, tool results, outputs |
| Google Maps Platform | Places, maps, address/location enrichment | Location and query data |
| NHTSA vPIC | VIN decoding and vehicle data enrichment | VINs submitted for decoding |
| Sentry | Error monitoring and diagnostics | Error events, scrubbed diagnostics, device and usage metadata |
| PostHog | Product analytics when configured | Usage events, device and session metadata |
| Axiom | Logging and operational observability when configured | Application logs and operational metadata |
| Better Stack | Log monitoring and incident alerting when configured | Application logs and operational metadata |
| Inngest | Background job orchestration when configured | Job payload metadata needed to run workflows |
Optional and dealer-enabled integrations
| Provider or category | Purpose |
|---|---|
| Meta / Facebook | Marketplace catalog sync, OAuth, webhooks, and vehicle listing distribution |
| Marketplace feed destinations | Dealer-enabled inventory feed distribution to configured marketplaces |
| Future communications providers | SMS or voice features if enabled by a dealer and released by AutoDealer.io |
Dealers may add custom website code, analytics tags, pixels, or integrations to their hosted websites. Those dealer-selected providers are not AutoDealer.io subprocessors unless we contract with them to provide the core Service. We may update this provider list as providers, features, or infrastructure change.
Dealer responsibilities
Dealerships are responsible for their own security program and operational controls, including:
- selecting a Qualified Individual and maintaining a written information security program where required;
- training employees, assigning least-privilege roles, and promptly removing inactive users;
- protecting devices, email accounts, browsers, networks, passwords, and MFA factors;
- reviewing third-party integrations, custom scripts, marketplace settings, and website tracking tools;
- providing required privacy notices, customer consents, vendor oversight, and incident response procedures.
Security reports
If you believe you found a vulnerability or security incident involving AutoDealer.io, email info@autodealer.io with a description, affected URLs, reproduction steps, and impact. Do not access, modify, delete, or disclose data that does not belong to you.
Incident notification
We will notify affected customers after confirming a security incident involving their data, unless prohibited by law. Notice timing, content, and method may depend on the incident, facts available, law enforcement needs, and applicable agreements.