Compliance & Security
Enterprise-grade.
Fully transparent.
Regulatory rigor. Full audit trails. No black boxes.
TCPA
CompliantCompliant with the Telephone Consumer Protection Act at federal and state levels. Consent collection, opt-out management, calling hour restrictions, and do-not-call list scrubbing handled automatically.
Formal legal opinion letter on file from a nationally recognized telecom compliance firm. Independent validation, not a self-assessment.
SOC 2 Type II
Q1 2026Certification in progress covering security, availability, processing integrity, confidentiality, and privacy.
Independent third-party audit of access controls, encryption protocols, incident response, and operational procedures.
CCPA & State Privacy
CompliantCompliant with California Consumer Privacy Act and state privacy regulations in Virginia, Colorado, Connecticut, and Utah.
Full support for consumer access, correction, deletion, and opt-out requests. We do not sell personal information.
GDPR
SupportedSupports EU data protection requirements including lawful basis for processing, data portability, and right to erasure.
For dealer groups with international operations or customers.
Data Architecture
Enterprise-gradeAES-256 encryption at rest. TLS 1.3 in transit. End-to-end protection across all data flows.
Logical isolation per dealership. No cross-account data access. Distributed infrastructure with automated failover and disaster recovery.
Access Controls
Full Audit TrailRole-based permissions by user, role, rooftop, and function. Granular control over who sees what.
Full audit trail on every action, login, and configuration change. No silent access. No exceptions.
AI Governance
EnforcedPricing limits, discount authority, and terms enforced at the system level. Cannot be overridden by the AI.
Every AI decision logged and traceable. Configurable escalation rules. Ongoing bias monitoring. No black-box behavior.
OEM Compliance
Fortellis CertifiedArchitected to meet OEM data handling and integration requirements.
Compatible with existing franchise agreements and platform guidelines.
Incident Response
DocumentedDocumented incident response procedures with defined escalation paths.
Notification protocols aligned with regulatory and contractual obligations.
Summary
| Requirement | Status |
|---|---|
| TCPA (Federal & State) | Compliant, legal opinion on file |
| SOC 2 Type II | In progress, Q1 2026 |
| CCPA | Compliant |
| GDPR | Supported |
| Data Encryption | AES-256 / TLS 1.3 |
| Data Isolation | Logical separation by account |
| Role-Based Access | Full audit trail |
| AI Guardrails | Enforced, auditable |
| Voice Recording | Encrypted, consent-verified |
| Fortellis | Certified |
Related reading
Our Compliance Approach
DealSmart AI was built compliance-first, not compliance-added. Every message Max sends is automatically checked against TCPA federal and state-level regulations, DNC list requirements, and quiet hours restrictions before it leaves our system. Consent is tracked at the contact level with full audit trails, and opt-out requests are processed immediately across all communication channels.
Our data infrastructure uses AES-256 encryption at rest and TLS 1.3 in transit. Customer data is logically isolated by dealership account, and role-based access controls ensure that only authorized personnel can access sensitive information. Voice recordings are encrypted and stored with verified consent records. We are currently pursuing SOC 2 Type II certification with an expected completion date in Q1 2026.
For enterprise dealership groups, we provide dedicated compliance and security personnel who can participate in vendor reviews, complete security questionnaires, and provide documentation for regulatory audits. Our Fortellis certification ensures seamless integration with CDK Global and other major dealer management systems.
Dedicated compliance and security personnel available for enterprise reviews.