VEHICLEAI
Security

AI your managerscan trust.

SOC 2 Type II audited. Hosted on Google Cloud Platform. Continuously monitored by Vanta. Every action requires manager approval and lives in an exportable audit trail.

View the live Trust Center
Product Trust

Three things that make Vehicle AIsafe to bring into your store.

Show the work

Every recommendation cites the source data behind it: the comps, the history, the market feeds, the dealer rules. Click any insight to see the math. We never ask managers to trust an answer they can't audit.

Human in the loop

v.Agents prepare work — they don't act on it. Repricing queues, customer outreach lists, service follow-ups: every action waits for manager approval. No autonomous writes to your DMS or CRM without sign-off.

Audit trail on every action

Every recommendation Vehicle AI made, every action your team approved or rejected, every write to a connected system — all captured, timestamped, attributable, and exportable.

Compliance

SOC 2 Type II report available on request.

Vehicle AI maintains a SOC 2 Type II posture audited against > 50 controls across infrastructure, organizational, product, internal, and data-privacy categories. The full report is available behind the Trust Center's request-access gate — share it with your security team for review.

Controls

50+ audited controls acrossfive governance categories.

The full live inventory of controls — with status and last-verified timestamps — lives on the Trust Center, updated hourly by Vanta.

Infrastructure security

21 controls

  • Unique production database authentication enforced
  • Encryption key access restricted
  • Production OS and network access restricted
  • Firewall access restricted
  • Access revoked upon termination

Organizational security

13 controls

  • Employee background checks performed
  • Anti-malware technology utilized
  • Confidentiality Agreement acknowledged by employees and contractors
  • Password policy enforced
  • Production inventory maintained

Product security

  • Penetration testing performed
  • Data transmission encrypted
  • Vulnerability and system monitoring procedures established
  • Control self-assessments conducted

Internal security procedures

  • Incident response policy documented
  • Vendor risk management procedures
  • Change management for production systems
  • Business continuity and disaster recovery

Data and privacy

  • Customer data segregation enforced
  • Data retention and disposal procedures
  • Privacy policy documented and reviewed
  • Right-to-delete procedures supported
Data Handling

How your dealership data isstored, encrypted, and monitored.

Where your data lives

  • Hosted on Google Cloud Platform in US regions
  • Tenant isolation: your dealership's data is logically separated, never co-mingled with other dealers
  • Backups encrypted at rest, retention configured per your data retention policy

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 for data at rest on Google Cloud Platform
  • Privileged access to encryption keys restricted to authorized users with business need

Authentication and access

  • SSO via Google Workspace; OAuth 2.0 with PKCE for integrated providers
  • Unique account authentication enforced across all systems and applications
  • Production application, database, and OS access restricted to authorized users

Continuous monitoring

  • Vanta runs continuous compliance monitoring across our infrastructure and policies
  • Control status visible in real time on the Trust Center (updated hourly)
  • Penetration testing performed; vulnerability monitoring procedures established
Permissions

Who can connect what, and who sees the result.

Vehicle AI distinguishes between user-scoped and dealership-scoped integrations.

User-scoped connections (like Gmail or Outlook) are owned by the individual. The user authorizes the integration; only they can read or send through it. Other users in the dealership cannot see the messages or use the credentials.

Dealership-scoped connections (like DMS, CRM, MarketCheck) are authorized by an admin and serve the whole store. Read access is controlled by role. Write access requires explicit manager approval at the action level — there is no blanket "let v.Agent write to DMS" toggle.

Every integration starts read-only. Write scopes are requested per action — when you turn on the "Approved Reprice → DMS" action, that's when the write scope is granted, scoped to that specific operation.

Subprocessors

The vendors that process Vehicle AI data.

We keep this list short and current. Adding a new subprocessor requires internal security review and is published here when it goes live.

Google Cloud Platform

cloud.google.com

Cloud infrastructure provider — hosts all production workloads and customer data in US regions.

Google Workspace

admin.google.com

Identity provider — SSO and authentication for Vehicle AI team and integrated customer accounts.

Vercel

vercel.com

Engineering platform — front-end deployment and edge serving.

Vanta

vanta.com

Continuous security and compliance monitoring — powers the live Trust Center and SOC 2 controls.

GitHub

github.com

Version control and code review for the Vehicle AI platform.

Talk to Us

Walk through our security posture with the team.

We'll share the SOC 2 Type II report, walk through tenant isolation and audit logging on a live Command Center, and answer any security or compliance question you have.