AI your managerscan trust.
SOC 2 Type II audited. Hosted on Google Cloud Platform. Continuously monitored by Vanta. Every action requires manager approval and lives in an exportable audit trail.
View the live Trust CenterThree things that make Vehicle AIsafe to bring into your store.
Show the work
Every recommendation cites the source data behind it: the comps, the history, the market feeds, the dealer rules. Click any insight to see the math. We never ask managers to trust an answer they can't audit.
Human in the loop
v.Agents prepare work — they don't act on it. Repricing queues, customer outreach lists, service follow-ups: every action waits for manager approval. No autonomous writes to your DMS or CRM without sign-off.
Audit trail on every action
Every recommendation Vehicle AI made, every action your team approved or rejected, every write to a connected system — all captured, timestamped, attributable, and exportable.
SOC 2 Type II report available on request.
Vehicle AI maintains a SOC 2 Type II posture audited against > 50 controls across infrastructure, organizational, product, internal, and data-privacy categories. The full report is available behind the Trust Center's request-access gate — share it with your security team for review.
50+ audited controls acrossfive governance categories.
The full live inventory of controls — with status and last-verified timestamps — lives on the Trust Center, updated hourly by Vanta.
Infrastructure security
21 controls
- Unique production database authentication enforced
- Encryption key access restricted
- Production OS and network access restricted
- Firewall access restricted
- Access revoked upon termination
Organizational security
13 controls
- Employee background checks performed
- Anti-malware technology utilized
- Confidentiality Agreement acknowledged by employees and contractors
- Password policy enforced
- Production inventory maintained
Product security
- Penetration testing performed
- Data transmission encrypted
- Vulnerability and system monitoring procedures established
- Control self-assessments conducted
Internal security procedures
- Incident response policy documented
- Vendor risk management procedures
- Change management for production systems
- Business continuity and disaster recovery
Data and privacy
- Customer data segregation enforced
- Data retention and disposal procedures
- Privacy policy documented and reviewed
- Right-to-delete procedures supported
How your dealership data isstored, encrypted, and monitored.
Where your data lives
- Hosted on Google Cloud Platform in US regions
- Tenant isolation: your dealership's data is logically separated, never co-mingled with other dealers
- Backups encrypted at rest, retention configured per your data retention policy
Encryption
- TLS 1.3 for all data in transit
- AES-256 for data at rest on Google Cloud Platform
- Privileged access to encryption keys restricted to authorized users with business need
Authentication and access
- SSO via Google Workspace; OAuth 2.0 with PKCE for integrated providers
- Unique account authentication enforced across all systems and applications
- Production application, database, and OS access restricted to authorized users
Continuous monitoring
- Vanta runs continuous compliance monitoring across our infrastructure and policies
- Control status visible in real time on the Trust Center (updated hourly)
- Penetration testing performed; vulnerability monitoring procedures established
Who can connect what, and who sees the result.
Vehicle AI distinguishes between user-scoped and dealership-scoped integrations.
User-scoped connections (like Gmail or Outlook) are owned by the individual. The user authorizes the integration; only they can read or send through it. Other users in the dealership cannot see the messages or use the credentials.
Dealership-scoped connections (like DMS, CRM, MarketCheck) are authorized by an admin and serve the whole store. Read access is controlled by role. Write access requires explicit manager approval at the action level — there is no blanket "let v.Agent write to DMS" toggle.
Every integration starts read-only. Write scopes are requested per action — when you turn on the "Approved Reprice → DMS" action, that's when the write scope is granted, scoped to that specific operation.
The vendors that process Vehicle AI data.
We keep this list short and current. Adding a new subprocessor requires internal security review and is published here when it goes live.
Google Cloud Platform
cloud.google.com
Cloud infrastructure provider — hosts all production workloads and customer data in US regions.
Google Workspace
admin.google.com
Identity provider — SSO and authentication for Vehicle AI team and integrated customer accounts.
Vercel
vercel.com
Engineering platform — front-end deployment and edge serving.
Vanta
vanta.com
Continuous security and compliance monitoring — powers the live Trust Center and SOC 2 controls.
GitHub
github.com
Version control and code review for the Vehicle AI platform.
Walk through our security posture with the team.
We'll share the SOC 2 Type II report, walk through tenant isolation and audit logging on a live Command Center, and answer any security or compliance question you have.