Security Posture
Compliant today. Audit-ready path documented.
LouieAuto is FTC Safeguards Rule compliant at the control level. SOC 2 Type I certification targeted Q2 2026 — Type II operating-period audit follows. This page is the public summary; full control matrix and readiness roadmap available in the diligence data room under NDA.
Compliance matrix.
| Framework | Scope | Status | Evidence |
|---|---|---|---|
| FTC Safeguards Rule (16 CFR Part 314) | Dealer nonpublic personal information | COMPLIANT | Control matrix + risk assessment in data room |
| SOC 2 Type I | Security, Availability, Confidentiality | IN PROGRESS | Auditor engagement confirmed — Q2 2026 certification milestone. Full control matrix in data room. |
| SOC 2 Type II | 6-month operating period post-Type I | PLANNED | Follows Type I certification; 6-month observation period begins Q3 2026. Readiness roadmap available under NDA. |
| GLBA (Gramm-Leach-Bliley) Privacy Rule | Dealer customer financial info | ALIGNED | Data flow and consent documentation in data room |
| PCI DSS | Not in scope | N/A | No card data stored; payment flows delegated to dealer's existing processor |
| CCPA / CPRA | California resident data | ALIGNED | Privacy policy, deletion workflow, data subject request handler documented |
Threat model (STRIDE summary).
| Category | Primary threat | Control |
|---|---|---|
| Spoofing | Dealer staff impersonation | Session token + IP fingerprint; rotation on anomaly |
| Tampering | Modification of lender decisioning logic | Read-only system-prompt release; code-signed deployment pipeline |
| Repudiation | Dealer disputes Louie recommendation | Broker-access log; full request/response audit trail; NDA-compliant retention |
| Information disclosure | Customer PII leakage via LLM prompt logging | Provider-routing layer redacts PII before send; Anthropic/OpenAI zero-retention flags set; local Ollama fallback |
| Denial of service | Flood against /api or /copilot | Nginx rate-limiter + per-token throttle; graceful degradation to cached responses |
| Elevation of privilege | Broker token escalation | Per-broker scoped token; admin secrets gated by header + IP allowlist |
Data handling.
Data classes
- Dealer identifiers — rooftop name, DMS integration tokens. Encrypted at rest.
- Customer PII — name, phone, email, DOB for deal structure. Encrypted at rest; redacted before LLM calls.
- Financial data — credit score tier, income range, deal structure. Never transmitted to third-party LLMs as raw values; bucketed before send.
- Operational telemetry — request latencies, error rates, module usage. No PII.
Retention & deletion
- Dealer-initiated deletion: honored within 5 business days.
- Customer deletion request: honored within 30 days (CCPA / CPRA aligned).
- Broker access logs: 24-month retention under NDA, then purge.
Cross-border transfer
- All data resides on US-region infrastructure.
- LLM inference: provider routing allows selecting US-region endpoints (Anthropic, Azure, GCP).
- Local Ollama inference available for dealers who require on-prem processing.
Incident response.
| Severity | Definition | Response SLA |
|---|---|---|
| P0 | Data exposure confirmed | 60 minutes to containment; 24 hours to dealer notification; 72 hours to regulator where required |
| P1 | Service outage affecting deal flow | 15 minutes to acknowledge; 4 hours to restore or provide workaround |
| P2 | Degraded feature or non-critical error | Business-hour response; 48 hours to resolve |
| P3 | Cosmetic or low-impact | Next release cycle |
Detailed runbook, contact tree, and post-mortem template are in the data room. Report vulnerabilities to brian@louieauto.com — PGP key published in /.well-known/security.txt.
Dependency & supply chain.
- SBOM generated per release (CycloneDX format).
- Dependencies pinned; npm audit + Snyk CI integration on readiness path.
- No known high-severity unpatched CVEs at date of publication.
- LLM provider routing isolates single-vendor failure — Anthropic, OpenAI, Azure, GCP, local Ollama all supported.
This page is a public summary. The full security pack (control matrix, gap analysis, penetration-test scope, SOC 2 readiness roadmap) is available under NDA.
Uptime SLA.
| Metric | Commitment | Measurement |
|---|---|---|
| Service availability | 99.9% per calendar month | nginx access logs + PM2 process monitor; status.louieauto.com |
| Scheduled maintenance | Off-peak only (2–4 AM local); 48-hr advance notice | Announced via status page and email to account contacts |
| P0 containment | 60 minutes | From first confirmed report to service restoration or workaround |
| P1 restore | 4 hours | Deal-flow-impacting outage resolved or workaround confirmed |
| P2 resolution | 48 business hours | Degraded feature or non-critical error |
Full SLA terms at louieauto.com/sla. Enterprise and Managed Services tier accounts receive SLA credits and dedicated escalation contacts. Group and Enterprise tier: 12-month minimum with formal SLA addendum.
Penetration testing & vulnerability disclosure.
Pen test cadence
- Annual penetration test scheduled. Scope: API surface (/api/*), authentication flows, session management, data access controls, injection vectors.
- Testing methodology: OWASP Testing Guide v4 + ASVS Level 2 controls.
- Reports and executive summary available under NDA to qualified acquirers and enterprise partners.
Vulnerability disclosure
- Responsible disclosure: report to brian@louieauto.com with subject line
SECURITY:. PGP key at /.well-known/security.txt. - Acknowledgement within 24 hours. Severity assessment and remediation timeline within 5 business days.
- Coordinated disclosure window: 90 days from report unless extended by mutual agreement.
- No bounty program active at this time. Researchers acknowledged in release notes.
Enterprise support tiers.
Power Dealer and Dealer Group accounts receive structured support — not just the AI assistant. Managed services partners (Presidio-model) receive joint escalation access for their client rooftops.
| Tier | Support channel | P0/P1 SLA | Dedicated contact |
|---|---|---|---|
| Lot Starter ($597/mo) | Email + AI assistant | Standard SLA | No |
| Pro Dealer ($1,197/mo) | Email + priority queue | Standard SLA | No |
| Power Dealer ($1,997/mo) | Email + Slack channel + AI | 4-hr P1 SLA | Named CSM |
| Dealer Group ($3,997/mo) | Direct phone + Slack + email | 60-min P0 / 4-hr P1 | Named CSM + SE |
| Managed Services partner | Joint partner escalation portal | 60-min P0 / 4-hr P1 | Named partner SE |
For enterprise procurement: send security questionnaires and vendor assessment forms to brian@louieauto.com. Full responses within 5 business days. NDA available on request before data room access.