Legal

Trust Centre

Last updated: May 28, 2026

DealerStack is built for dealerships that trust us with their inventory, customer data, and business operations. This page explains how we protect that trust through our security practices, infrastructure choices, and data handling commitments.

TLS / HTTPS everywhere Passwords hashed with bcrypt Dealer data fully isolated No third-party ad tracking No data sold to third parties

🔐

Encrypted in Transit

All connections to DealerStack are encrypted using TLS. Your data is never transmitted in plain text over the network.

🔑

Secure Authentication

Passwords are hashed using an industry-standard algorithm. We never store plain-text passwords. OAuth-based sign-in is also supported.

🏢

Dealer Isolation

Every dealership's data is scoped by a unique dealer ID. No dealership can access another's inventory, leads, or appraisals.

🚫

No Ad Tracking

We use zero third-party advertising or analytics trackers. The only cookie we set is a session cookie required for login.

Infrastructure

DealerStack runs on modern, managed cloud infrastructure. We intentionally use providers with strong security track records and Canadian/US data residency.

Component	Purpose
Application server	Hosts the DealerStack application on managed cloud infrastructure.
Database	Stores all dealer accounts, inventory, leads, and appraisals. Encrypted at rest.
File storage	Stores vehicle photos. Served over a global CDN with HTTPS.
Email delivery	Sends transactional emails (appraisal notifications, welcome emails).
AI processing	Generates appraisal insights. No customer PII is included in AI requests.
Market data	Provides vehicle listing comparables and pricing data.
VIN decoding	Decodes vehicle identification numbers. No personal data transmitted.

Session and Authentication Security

DealerStack uses server-side sessions stored in a relational database (not in cookies). The session cookie contains only a signed, opaque session ID — your account data never travels in the cookie itself. Session secrets are stored as environment variables and never committed to source code.

All API endpoints that access dealer data require an authenticated, verified session. Admin-only endpoints are additionally restricted to a pre-approved list of email addresses set at the server level.

Data Access Controls

Dealer data is enforced at the database query level — every query includes a dealer_id filter. Even if a session were compromised, an attacker could only access data belonging to that specific dealership.

DealerStack internal admin access (for support and platform management) is restricted to named individuals. Admin actions are only available through authenticated admin sessions, not via any shared backdoor.

What Data We Store (and What We Don't)

We store: Dealership name, address, contact email, hashed passwords, vehicle inventory, CRM leads, appraisal records, and session tokens.
We do not store: Plain-text passwords, payment card numbers, government ID numbers, or customer social insurance/social security numbers.
We do not store: Third-party market data beyond short-lived server-side caches. Cached data is keyed by vehicle attributes and contains no personal information.

Responsible Disclosure

If you discover a security vulnerability in DealerStack, please report it responsibly by emailing shahroze@autodealerstack.com with a description of the issue. We will investigate promptly and respond within 5 business days.

Please do not publicly disclose vulnerabilities before we have had the opportunity to address them.

Contact

For security or trust-related questions, contact us at:
shahroze@autodealerstack.com