How Rooftop protects dealership and consumer data — at the database, in transit, and across our supply chain.
Last reviewed: June 2026 · Reviewed quarterly
We don't hide the in-progress status. Here's the honest snapshot of attestations and ongoing work.
Target Q2. Vanta-monitored controls across access, change management, and incident response.
Observation window opens after the first multi-rooftop pilot. Report available under NDA when complete.
Third-party engagement on the customer-facing platform and the public marketing surface. Summary letter on request.
Coordinated disclosure to security@rooftopos.io. Public credit and a thank-you on this page if disclosed responsibly.
RooftopOS does not sell your customer data, remarket to your customers, or turn your opportunities into someone else’s lead source. Customer records created through AutoCurb belong to the dealership.
All connections to rooftopos.io and the Rooftop platform use TLS 1.3; legacy ciphers and TLS 1.0/1.1 are disabled. Data at rest is encrypted with AES-256 at the storage layer for both Postgres and object storage. Backups are encrypted with the same envelope and retained for 30 days. Customer data is segregated logically by row-level security in Postgres; no cross-tenant query path exists outside our own audited admin role.
Dealer admins on the Group tier sign in via SSO and SAML. Every user has a role — role-based access control (RBAC) is enforced both in the API and at the database row level. Audit logs capture every read and write of customer data with user, time, and request ID; logs are immutable and exportable from the dashboard.
Production access is least-privilege: engineers request just-in-time elevation through a logged workflow, and hardware-key MFA (WebAuthn) is required for any production console or CLI session. No shared accounts, no long-lived production keys.
The same list named in our Data Processing Agreement. 30-day notice for any addition.
| Sub-processor | Purpose | Data accessed | Location | Security |
|---|---|---|---|---|
| Cloudflare | Edge hosting, CDN, DDoS protection | Request metadata, marketing pages | United States | Trust page |
| Supabase / Postgres | Primary database | All customer + consumer records | United States (us-east-1) | Trust page |
| Cloudflare R2 | Object storage (photos, videos, signed PDFs) | Inventory media, AutoFilm video, audit artifacts | United States | Trust page |
| Resend | Transactional + newsletter email | Email address, name, message body | United States | Trust page |
| Twilio | SMS delivery | Phone number, message body, consent timestamp | United States | Trust page |
| OpenAI | Text extraction (VIN, title, sticker OCR) | Document text only — no consumer PII payloads, no training | United States | Trust page |
All customer and consumer data is stored in United States data centers. We do not transfer data internationally without explicit, written customer consent. CDN edges may cache static marketing assets globally, but no customer or consumer record leaves US infrastructure.
We notify the customer within 72 hours of any confirmed personal-data breach — including known scope, mitigations taken, and recommended next steps. The full process is documented in our Data Processing Agreement.
Email security@rooftopos.io with reproduction steps and any proof-of-concept. We acknowledge receipt within 48 hours and provide a triage decision within five business days. Public credit on this page if disclosed responsibly — please don't exfiltrate data, pivot, or publish before we've had a chance to fix.
The signed DPA covers the legal terms. For the technical questionnaire we'll fill out either CAIQ-Lite or SIG-Lite — send whichever your team standardized on.