Skip to main content

Security and trust

Security boundaries should be visible before a shop connects its data.

VehicleDesk is being hardened around tenant isolation, provider verification, least privilege, human approval, recoverability, and evidence. Status labels distinguish implemented controls from work in progress, planned work, and provider-dependent behavior.

Current posture

Control status, customer meaning, and remaining evidence.

This page intentionally avoids certification language and sensitive architecture detail. The implementation traceability record remains the engineering authority.

Tenant isolation and least privilege

Authenticated access is shop- and role-scoped. Broader two-tenant proof, route classification, and least-privilege evidence continue under the security rebuild.

Implemented / hardening in progress

Authentication and session protection

Closed registration is the production default. Revocable sessions, CSRF classification, stronger login controls, and MFA direction are explicit follow-on work.

In progress

Encryption in transit and at rest

TLS is required in transit. Provider credentials are encrypted server-side; backup and key-rotation evidence is being expanded.

Implemented / expanding

Provider credential protection

Provider secrets stay server-side, encrypted, destination-bound, absent from browser bundles, and tracked through rotation/disconnect procedures.

Implemented / operations pending

Cloudflare edge and origin protection

The plan requires strict origin exposure, WAF/rate controls, bot and DDoS defenses, CSP, HSTS after audit, and monitored edge evidence.

In progress

Secure development and release checks

Secret scanning, dependency checks, route-auth checks, build gates, file budgets, and security baselines run locally and in CI where configured.

Implemented locally

AI minimization and human review

AI receives minimized context, treats provider/customer text as untrusted, has no autonomous customer-send authority, and cannot replace deterministic eligibility controls.

Implemented / hardening in progress

Audit logging and incident response

Security logging uses allowlisted fields and server request IDs. Central alerting, incident exercises, and production response ownership still require operational evidence.

In progress

Encrypted backups and restore tests

Independent encrypted backups, restore drills, recovery objectives, and tamper-aware evidence must be proven before this control is described as operational.

Planned / evidence required

Privacy, retention, and deletion

Data minimization, retention, export, deletion, subprocessor, and offboarding expectations are being formalized and linked to product and legal review.

In progress

Communication and AI boundary

Generated guidance never becomes customer authority.

Consent, suppression, shop/channel feature gates, provider readiness, approval, queue state, and delivery evidence remain deterministic application decisions outside the model.

Operational evidence

A control is not complete because code exists.

Deployment configuration, owner assignment, provider transition, alerting, recovery drills, and production proof are required before a local implementation is marked complete.

Report a vulnerability

Security reports use a separate disclosure path.

Do not include customer data or active secrets in an initial report. The published security contact provides scope, response expectations, and safe-harbor boundaries.

View security.txt

Vulnerability disclosure

A bounded path for good-faith security research.

Report only VehicleDesk-owned surfaces and accounts or data you are authorized to test. Stop immediately after any accidental customer-data, credential, or cross-tenant exposure. The monitored mailbox and qualified legal review remain production launch requirements.

In scope

VehicleDesk-owned product surfaces.

Public VehicleDesk properties and the authenticated CRM/API are in scope when you use only your own authorized account and data. Tenant isolation, authentication, authorization, export, portal, booking, webhook, integration, messaging, and AI-boundary defects are useful reports.

Out of scope

No third-party, disruptive, or privacy-invasive testing.

Do not test Shopmonkey, Google, OpenAI, Twilio, Resend, Cloudflare, Railway, GitHub, customer sites, or other third parties. No denial of service, credential attacks, social engineering, spam, persistence, destructive changes, data exfiltration, or high-volume scanning.

Good-faith safe harbor

Authorized research must remain bounded and confidential.

VehicleDesk will not recommend or pursue legal action solely for good-faith research that follows the published scope, uses authorized accounts/data, avoids harm, stops after demonstrating the issue, and is reported promptly. This does not authorize unlawful activity or testing third-party systems.

Response targets

Clear acknowledgement and coordination expectations.

Targets are acknowledgement within three staffed business days, initial triage within seven, and an update at least every 14 staffed business days while an accepted report remains open. These are coordination targets, not a payment or remediation-time guarantee.

How to report

Start with a minimal, non-sensitive email.

Email security@vehicledesk.io with the affected surface, impact, minimal steps using your own data, and UTC references. Do not email credentials, active secrets, raw customer data, exploit archives, or provider payloads. Ask for a secure transfer method when sensitive evidence is necessary.

Start a report

Practical workflow review

Include security and data-boundary questions in the workflow review.

Bring one real workflow. We will show what VehicleDesk can support today, what remains controlled, and what setup would require.