Security
Network Security
Data Storage, Encryption
Platform Security
Staff and Third Party Access
Data Access Control
Network Security
These measures include:
- Regular vulnerability scanning and annual penetration testing, both internally and externally, to detect and address suspicious behavior.
- Robust firewalls and adherence to stringent configuration standards.
- Security measures for sensitive personal or payment information.
- Physical security and environmental controls to protect our infrastructure.
- Continuous testing and review of systems with industry experts to uphold the highest security standards.
- Prompt notification to Dealerware's customers and partners in the event of outages or operational issues.
- Defined and implemented security commitments to address potential risks.
- Comprehensive incident response program to understand, contain, remediate, and communicate any security incidents effectively.
Data Storage & Site Security
- Dealerware implements both technical and physical controls to securely store your data and prevent unauthorized disclosures.
- We have data storage in facilities with stringent security measures.
- Dealerware Platform and API Portal are hosted in US-based AWS regions, utilizing multiple availability zones for enhanced reliability and security.
Incident Response & Contingency Planning
- Detection of data breaches and prompt notification of potential network issues.
- Assessments to evaluate and mitigate potential cybersecurity incidents and exposures.
- Processes to provide customers with accurate and timely information on the scope and status of any issue.
- The Incident Response and Disaster Recovery Plan mandates documentation of root cause analysis and lessons learned for all potential security incidents.
Platform & Systems Security
- Configured tools and continuous monitoring of system endpoints to prevent the introduction of viruses and malware into the processing environment.
- Implementation of access controls, network firewalls, operating system security, server configuration, and traffic management.
-
Vulnerability disclosure program:
- Dealerware provides customers with channels to assess the health of Dealerware's platform and submit requests.
- Outages and operational issues are reported to Dealerware's customers and partners via a third-party system.
- Customers experiencing system issues can submit service requests and view Dealerware's platform status at any time via the support.dealerware.com customer-facing site.
- Error monitoring and application stability management systems are in place to ensure continuous and reliable performance.
- Dealerware also holds our software and hosting partners to the same high security standards, ensuring that their practices align with our commitment to maintaining the integrity and security of our platform.
Data Encryption
- Using encrypted connection and protocols (3.01).
- Ensuring data access is secure and encrypted during transmission.
- Implementing protocols to securely dispose of customer data.
- Encryption of data within forms and API systems based on defined standards.
Data Processing
- Utilizing Transport Layer Security (TLS) and HTTPS to secure your connections, ensuring that sensitive information is securely transferred to authenticated servers and remains protected from unauthorized access.
Access Controls
- Using multiple factors of authentication to access IT systems.
- Ensuring access is granted on a least privilege required basis.
- Password security, username policies.
- Executing risk management and vulnerability management processes, restricting employee access to and from API supporting systems, re-certifying access to platforms and systems regularly to ensure compliance and mitigate risks.
Staff & Third Party Access
- Enforcing strict policies on the secure handling and protection of data.
- Vetting personnel with access to personal data and managing the employee lifecycle, including background screening, training, and succession planning.
- Reviewing and ensuring that third-party service providers adhere to robust security measures and comply with our information security policies.
- Binding third-party subcontractors to technical and organizational measures that are as rigorous as those we uphold.
- Providing ongoing information security and security awareness training for all relevant personnel.
- Dealerware implements Single Sign-On (SSO) and automatic de-provisioning to streamline access control and ensure that access rights are promptly revoked when no longer needed.
Security Practices
What data security controls does Dealerware have in place for the transmission & storage of data?
Dealerware employs comprehensive data security controls to ensure the safe transmission and storage of your data:
- SOC 2 Type 2 certified for rigorous security standards.
- Data in transit is protected by TLS 1.2 encryption.
- Stored data is secured and encrypted with 256-bit Advanced Encryption Standard (AES).
- All connections are forced through HTTPS, ensuring encrypted data transmission.
- Servers are hosted in U.S.-based AWS data centers that are SOC 1, SOC 2, and ISO 27001 certified.
- Our data centers feature 24/7 security, fully redundant power systems, two-factor authentication, and physical audit logs.
- Regular external penetration tests are conducted by third-party vendors.
- Security awareness training sessions are regularly conducted for all employees.
- Detailed audit logs are maintained for all internal systems.
Describe Dealerware’s risk and vulnerability management program.
New vulnerabilities or new patches are detected from the various monitoring and scanning in place. Many vulnerabilities will be addressed within 24 hours by automated update processes, at which time the vulnerability is closed out. Engineering tracks any vulnerabilities not addressable through automation through resolution. Dealerware undergoes, at minimum, annual vulnerability scans and penetration testing, by an independent third party.
Are system outages tracked?
Dealerware maintains a publicly available status page for current and historical availability information at: https://dealerware.statuspage.io.
Which (if any) cloud infrastructure providers are used to deliver the service or system?
Dealerware is primarily hosted on Amazon Web Services (AWS) to ensure high availability of its services. Dealerware leverages industry leading cloud infrastructure and data security features provided by AWS to ensure our product and customer data is secure.
For more information on how AWS’ data centers secure your data, click here: https://aws.amazon.com/compliance/data-center/controls/
Are server security configuration standards documented and based on external industry or vendor guidance?
Dealerware follows security configuration standards that are documented and consistent with industry guidance, and where applicable may adhere to vendor guidelines.
Do you provide clients with hosting options?
Dealerware does not provide hosting solutions directly to its customers. However, Dealerware utilizes AWS for its own production environment, which provides at least three different, geographically separated, locations where the application is hosted for high availability and redundancy.
Please describe the framework that is utilized to ensure alignment with Information Security best practices?
Dealerware is SOC 2 Type II certified, which validates our strong commitment to data security, processing, integrity, confidentiality, and privacy.
- Information security is essential for Dealerware’s success and competitiveness. Our framework adopts the following Information Security Principles
- Apply a risk-based and economically reasonable approach to Information Security
- The purpose of the program is to protect and ensure confidentiality, integrity and availability of data and information assets in light of the business and any legal requirements
- Program requires implementing information security and risk management processes and procedures that are sustainable, adaptable and can transform.
- Continued review, testing, and improvement of protocols is necessary.
What retention policies are in place for data stored in your cloud environment? What granularity is available on an individual customer basis?
Client or customer data is stored in our cloud environment for [90 days] but we may retain information as long as it is needed for processing and performing services for customers.
Dealerware has policies for Data Classification, Encryption and Disposal Policy, and retention, and requires All web-based data transmissions to or from third parties to be transmitted through HTTPS and all data in transit is secured using TLS v1.2 at minimum. Access to the production environment is restricted via SSH and is controlled through Teleport as required.
How is role-based access control implemented and supported in your product or service?
Dealerware includes pre-defined customer-user roles including, Permissions Manager, Employee Manager, Service Advisors, and other internal admin permissions. More information about access controls are described here: https://support.dealerware.com/hc/en-us/articles/360022563514-Learn-about-Employee-Account-Permissions
Does Dealerware have audit logging capabilities?
To review actions performed by people in your organization, Dealerware provides logs of audited user and system events. The Dealerware audit log lists events triggered in your organization within the last 90 days.
We can review the audit log to quickly review the actions performed by members of your organization. The audit log includes details such as who performed the action, what the action was, and when it was performed. We can use these details to troubleshoot access issues, perform security audits, or analyze specific events.
What is Dealerware’s business continuity plan or process?
Dealerware maintains a BCDR – Business Continuity Disaster & Recovery to ensure the continued operations of the company. In the event of a localized disaster, Dealerware can continue its business operations with minimal interruption. The policy and plan is reviewed and tested, at minimum, annually by the Manager of Security, VP of Platform & Data Engineering, and other relevant team members. All incidents are tracked and managed internally by the respective teams.
