VinReach

Trust

Last updated: April 19, 2026

VinReach processes visitor traffic, inventory, and messaging on behalf of car dealerships. This page is the index of how we protect that data.

Security posture

  • All application traffic encrypted in transit (TLS 1.2+) via Vercel edge. No plaintext HTTP accepted at the public surface.
  • Personal data encrypted at rest (AES-256) via the managed Postgres provider's native encryption. Backups are encrypted and geo-redundant.
  • Dealer credentials (DMS, Postmark, SendGrid, valuation providers) are encrypted per-row with KMS-wrapped keys and redacted before any log emission.
  • Least-privilege access — every production write runs through Postgres row-level security scoped to the calling org. No cross-tenant reads are possible from an application query.
  • Every outbound send, reply, consent flip, and journey decision is immutably logged for 18 months to support a SOC 2-aligned audit trail.

Audit status

VinReach is SOC 2-ready — policies, evidence, and Trust Service Criteria controls are operational today. A formal Type II attestation has not been issued yet; the observation window is planned to open with pilot operations. No bridge letter or attestation report exists at this time. CISO teams that need a pre-audit security questionnaire can request one via /contact.

Compliance scope

Data is hosted in the region specified in the order form (currently US-East). Outbound messaging honors:

  • CAN-SPAM — physical address on every commercial email, unsubscribe honored within 10 minutes platform-wide.
  • CPRA — California resident opt-out signals respected (Global Privacy Control, Sec. 1798.135).
  • TCPA — SMS consent captured at collection; STOP, UNSUBSCRIBE, and CANCEL recognized immediately.

Reporting a vulnerability

Email security@vinreach.ai with any security finding. Acknowledgment within 1 business day. Do not publicly disclose before we have 90 days to remediate.

Incident history

No material security incidents to date. Status + any future notifications posted here within the SLA committed to in the DPA.

Questions

/contact for anything that needs a live human.