Security at Dealer-OS

Security at a Glance

1. Infrastructure & Hosting

Dealer-OS is built on Google Firebase and Google Cloud Platform (GCP), with all services hosted in the United States (us-central1 / us-east1 regions by default).

• Firestore: multi-region replication with automatic backups and point-in-time recovery.
• Firebase Storage: object storage for vehicle images and generated documents, with bucket-level security rules restricting access per dealer.
• Cloud Functions (Gen2): server-side logic runs in isolated, ephemeral containers — no persistent shared state between requests.
• Next.js on Vercel: the web application layer runs on Vercel’s edge network with DDoS protection and automatic HTTPS.

Google Cloud’s compliance certifications include SOC 1/2/3, ISO 27001/27017/27018, PCI DSS, HIPAA, and FedRAMP High. You can review Google’s compliance posture at cloud.google.com/security/compliance.

2. Data Encryption

In Transit

All communication between your browser or mobile device and Dealer-OS servers is encrypted using TLS 1.2 or TLS 1.3. We use HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks. Certificate management is handled by Vercel and Google with automatic renewal.

At Rest

Data stored in Firestore and Firebase Storage is encrypted at rest using AES-256. Google manages encryption keys using its Key Management Service (KMS). Sensitive fields (e.g., OAuth refresh tokens) receive an additional layer of application-level encryption before storage.

OAuth Tokens

Third-party OAuth tokens (e.g., Gmail refresh tokens) are encrypted before being written to the database. Tokens are never logged, transmitted in plaintext, or exposed to client-side code. They are deleted immediately upon integration disconnection or account deletion.

3. Authentication & Session Management

• Authentication is handled by Firebase Authentication, which supports email/password, Google Sign-In, and multi-factor authentication (MFA).
• Sessions are maintained via HTTP-only, Secure, SameSite=Lax cookies (dealer_os_session) to prevent XSS-based token theft.
• OAuth flows include a CSRF state parameter (cryptographically random 32-byte hex token stored in an HTTP-only cookie, valid for 10 minutes) to prevent cross-site request forgery.
• Session cookies have a finite lifetime and are invalidated on logout. Server-side session verification is performed on every authenticated API request.
• Failed authentication attempts are rate-limited by Firebase Authentication to prevent brute-force attacks.

4. Access Control

Dealer-OS implements strict multi-layer access control:

Tenant Isolation

Each dealership is a separate tenant. Firestore Security Rules and server-side checks enforce that users can only read and write data belonging to their own dealership. There is no shared data pool between dealers.

Role-Based Access Control (RBAC)

Within a dealership, access is governed by roles (Owner, Manager, Sales, Finance, etc.). Each role has a defined permission set enforced at both the API and Firestore rule levels. Employees see only the data and actions permitted by their role.

Internal Access (Dealer-OS Staff)

Dealer-OS engineering and support staff access to production data is restricted by role, logged, and limited to what is necessary to operate and support the service. No Dealer-OS employee has standing read access to individual dealer customer records without a documented support reason.

5. API & Application Security

• All API routes require authentication; unauthenticated requests receive 401 responses.
• Input validation and sanitization are applied to all user-supplied data before processing or storage.
• Generated documents (PDFs) are produced server-side and served via signed, time-limited URLs — never stored publicly.
• Third-party API keys (Google Maps, Stripe, etc.) are stored as server-side environment variables and are never exposed to the client.
• Stripe webhooks are verified using Stripe-Signature header validation with our webhook secret to prevent spoofed payment events.
• Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are set on all responses.

6. Monitoring, Logging & Incident Response

We maintain comprehensive audit trails for security-relevant events:

• Firebase Authentication logs all sign-in events, token refreshes, and failed login attempts.
• Cloud Functions log all API invocations, errors, and response times in Google Cloud Logging with a 12-month retention.
• Anomalous access patterns (unusual login locations, bulk data reads) trigger automated alerts reviewed by our team.

Incident Response

In the event of a confirmed data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware of the incident (as required under GDPR Article 33) via email and in-platform notification. Notifications will include: nature of the breach, categories of data affected, approximate number of individuals affected, likely consequences, and measures we have taken or propose to take.

7. Third-Party Security

We vet all sub-processors for security compliance before integration. Key providers and their security posture:

9. Questions & Contact

For general security questions or concerns, contact us: