Trust
Last updated: April 19, 2026
VinReach processes visitor traffic, inventory, and messaging on behalf of car dealerships. This page is the index of how we protect that data.
Security posture
- All application traffic encrypted in transit (TLS 1.2+) via Vercel edge. No plaintext HTTP accepted at the public surface.
- Personal data encrypted at rest (AES-256) via the managed Postgres provider's native encryption. Backups are encrypted and geo-redundant.
- Dealer credentials (DMS, Postmark, SendGrid, valuation providers) are encrypted per-row with KMS-wrapped keys and redacted before any log emission.
- Least-privilege access — every production write runs through Postgres row-level security scoped to the calling org. No cross-tenant reads are possible from an application query.
- Every outbound send, reply, consent flip, and journey decision is immutably logged for 18 months to support a SOC 2-aligned audit trail.
Audit status
VinReach is SOC 2-ready — policies, evidence, and Trust Service Criteria controls are operational today. A formal Type II attestation has not been issued yet; the observation window is planned to open with pilot operations. No bridge letter or attestation report exists at this time. CISO teams that need a pre-audit security questionnaire can request one via /contact.
- SOC 2-ready controls
- CAN-SPAM · CPRA
- Attribution methodology — confidence ladder + lift-vs-holdout explainer.
- Sub-processors
- Data Processing Agreement
- Privacy policy
Compliance scope
Data is hosted in the region specified in the order form (currently US-East). Outbound messaging honors:
- CAN-SPAM — physical address on every commercial email, unsubscribe honored within 10 minutes platform-wide.
- CPRA — California resident opt-out signals respected (Global Privacy Control, Sec. 1798.135).
- TCPA — SMS consent captured at collection; STOP, UNSUBSCRIBE, and CANCEL recognized immediately.
Anonymous-visitor identity resolution
VinReach can optionally load an anonymous identity-resolution webtag on behalf of a dealer, either Essential or Enhanced Identity Resolution, to match anonymous website visitors to first-party identifiers (email, phone, postal region). This feature is off by default per rooftop and only loads when the visitor has granted both analytics and marketing consent and has not asserted Global Privacy Control or a CPRA "do-not-sell-or-share" opt-out. Daily cost caps prevent runaway spend. Every enrichment call is logged with the raw response for audit. Dealer-side suppression is enforced before any enrichment or outbound send. Vendor identity-graph details are disclosed on the /subprocessors page.
Reporting a vulnerability
Email security@vinreach.ai with any security finding. Acknowledgment within 1 business day. Do not publicly disclose before we have 90 days to remediate.
Incident history
No material security incidents to date. Status + any future notifications posted here within the SLA committed to in the DPA.
Questions
/contact for anything that needs a live human.