How we protect your dealership data.

Last updated: April 30, 2026.

UnifiedGarage handles customer PII, deal financials, and service histories - exactly the kind of data that breaks a dealership's reputation if it leaks. We treat the basics seriously and document them here. If you want to verify any of this on your own, our security disclosure email is at the bottom of this page.

Data encryption

• In transit: every connection uses TLS 1.2+ with HSTS enforced. We don't accept unencrypted traffic.
• At rest: PostgreSQL data sits behind Supabase's AES-256 encryption. Object storage (vehicle photos, document attachments) on Cloudflare R2 uses AES-256 at rest.
• Backups: encrypted with the same keys as the live database, retained for 30 days at point-in-time recovery granularity.

Authentication & access

• Passwords hashed with bcrypt (cost factor 12). Plaintext passwords never touch our database.
• Multi-factor authentication (TOTP / RFC 6238) is supported for every user, required for admin roles by default.
• Session tokens signed with rotating secrets, refresh tokens stored in httpOnly cookies (not localStorage).
• Failed-login lockout with exponential backoff. After 5 failed attempts the account is locked for 15 minutes; subsequent failures escalate.
• CSRF protection via double-submit cookie pattern on every mutating endpoint.
• Role-based access control: 9 roles (super-admin, dealer-admin, manager, sales rep, F&I manager, service advisor, technician, parts clerk, accounting) each with a published permission matrix. The backend enforces the same rules the UI shows.

Tenant isolation

Every row in our database carries a dealershipId. Every query is scoped by it at the service layer. Database-level row-level security (RLS) policies provide a second guard so a code mistake can't cross dealership boundaries silently. We test this with multi-tenant fixtures on every release.

Hosting & infrastructure

• Application servers: Railway, region us-east. Container-based with rolling deploys.
• Database: Supabase (managed PostgreSQL on AWS), region us-east-1.
• Object storage: Cloudflare R2 with custom domain.
• Front-end: Vercel, edge-distributed for low-latency loads.
• DNS & CDN: Cloudflare.

Backups & disaster recovery

• Database backups: continuous WAL archival via Supabase, with point-in-time recovery to any second within the last 30 days.
• Object storage: R2 has 11 nines of durability with multi-region replication.
• Recovery objective: RPO < 5 minutes, RTO < 1 hour for full database restore.
• Disaster runbook rehearsed quarterly.

Logging & monitoring

• Application logs retained 90 days, structured (JSON), no PII or passwords.
• Audit logs for admin actions (user role changes, settings edits, data exports) retained indefinitely.
• Error tracking via Sentry; PII is scrubbed before transmission.
• Uptime monitoring on every public endpoint with paged alerts.

Patching & vulnerability management

• Dependencies scanned daily via GitHub Dependabot; security patches applied within 7 days for high-severity, 30 days for medium.
• OS-level patches happen via Railway's base image refresh (typically weekly).
• Code reviewed before merge; CI runs lint, type-check, unit tests, and Playwright e2e on every pull request.

Compliance posture

UnifiedGarage is not yet SOC 2 certified - we're a small team and the audit cost is steep. We're building toward it on the same principles that the audit checks. PIPEDA (Canadian privacy law) compliance is documented in our privacy policy; if your dealership requires GDPR-shaped disclosures we're happy to provide them on request.

Security disclosure

Found a vulnerability? Email security@unifiedgarage.com. We respond within 1 business day, work with you on a fix timeline, and credit responsible disclosure publicly if you want.

Have a more specific question? hello@unifiedgarage.com.