/ Security & Compliance

SOC 2 Type II. Plain English here.

Dealer groups audit their vendors. AutoEngage operates inside the customer record of a top 5 auto group, on a 5+ year continuous deployment, under the same security and TCPA controls IT and compliance teams expect from enterprise vendors. The page below is the documentation, written without the marketing fog.

Independently auditedSOC 2 Type IIActive. Type II report covering a continuous observation period available under MNDA on request.
/ Compliance posture

The three certifications dealer-group IT and compliance ask about on every call.

SOC 2 Type II for the platform, TCPA for who Lisa is allowed to message, 10DLC for how the messages are carried. Below is what each one means for AutoEngage in practice — not a marketing summary.

AuditedSOC 2 Type IIIndependent audit of our security, availability, and confidentiality controls. Type II report covers a continuous observation period and is available under MNDA.
TCPATelephone Consumer Protection ActLisa only messages customers your dealership has the legal right to contact under TCPA, with consent and revocation tracked in the conversation record. Quiet-hours enforcement is built in.
10DLCA2P Messaging RegisteredBranded SMS sender registration on the 10DLC framework, with carrier-approved campaign types. Each rooftop ships with its own registered brand and use case.
/ Data handling

What Lisa sees, where it goes, how long it stays.

The honest version. Lisa operates inside the customer record your DMS already maintains. She doesn't collect data the dealership isn't already holding, and customer-identifiable records don't leave the integration boundary. Below is the full category and retention map.

Customer recordIdentity & contact

Name, mobile phone number, email address — sourced from your DMS customer record. Lisa never asks the customer for re-verification of contact details.

VehicleVehicle & service history

VIN, year/make/model, mileage, OEM warranty status, prior service records, declined-services list — read from the DMS through the live integration.

ConversationConversation transcripts

Inbound and outbound SMS messages between the customer and Lisa, plus message-level metadata (delivery status, response timing, intent classification).

OperationalBooking & handoff metadata

Appointments Lisa books into your DMS, advisor assignments, and the timestamp on any human handoff. Used for reporting and quality review only.

/ Retention & deletion

How long records stick around — and how they go.

While activeRetained for the engagement

Customer records, conversation transcripts, and DMS-derived metadata are retained for the duration of the dealer's AutoEngage engagement, and as required to operate the eleven retention motions on each customer.

After offboardingDeletion within 90 days

On engagement termination, all customer-identifiable data is deleted from active systems within 90 days unless a longer retention is required by law. Anonymized aggregate metrics may be retained indefinitely for benchmarking.

Customer requestPer-customer deletion

Individual customer deletion requests are processed within 30 days of receipt by the dealer or by AutoEngage directly. The DMS record stays where it lives — with you.

CarrierSTOP / opt-out is permanent

Any customer who replies STOP, UNSUBSCRIBE, or any TCPA-defined opt-out keyword is added to a permanent suppression list. Lisa will never message that number again, across any rooftop, even if a new dealer agreement is signed.

/ Sub-processors

DMS systems Lisa integrates with.

Each integration below is contracted under that vendor’s certified API surface and data-handling agreement, and is in scope for AutoEngage’s SOC 2 audit boundary. Reviewed annually.

DMS integrations

Where Lisa reads and writes customer data.

Each connects to your DMS through the vendor’s certified API surface, carrying customer-identifiable data inside AutoEngage’s SOC 2 audit boundary.

CDK Global · Fortellis

DMS integration platform for CDK Drive read/write. Fortellis is CDK's certified API surface; AutoEngage is a registered Fortellis partner.

DMS integration
Reynolds & Reynolds · RCI

Reynolds Certified Interface for ERA service-record read/write. AutoEngage is a certified RCI partner.

DMS integration
Tekion · DealerTrack · PBS · DealerBuilt · Xtime

Direct DMS and scheduler integrations for Tekion, Cox Automotive DealerTrack, PBS, DealerBuilt (certified partner), and Xtime. Each is contracted under that vendor's API and data-handling agreement.

DMS · Scheduler
/ DPA & reports

Documents your IT and legal teams will ask for.

The SOC 2 Type II report, the Data Processing Addendum (DPA), the current sub-processor list, and the security-questionnaire packet are all available on request under MNDA. We send the packet within one business day of an inbound request.

Email us. We answer fast.

Use legal@autoengage.ai for compliance, DPA, MNDA, sub-processor diff, or vendor security questionnaires. Use privacy@autoengage.ai for customer privacy or deletion requests routed through the dealership.

legal@autoengage.aiCompliance · DPA · MNDAprivacy@autoengage.aiPrivacy · Deletion requests
/ Already vetted us?

Then let's talk about your retention numbers.

30-minute walkthrough. We'll skip the security primer and go straight to the eleven retention motions and what your group's first-2-year recapture math looks like.

Request Demo
Have a specific compliance or security question? Get in touch →