SOC 2 Type II. Plain English here.
Dealer groups audit their vendors. AutoEngage operates inside the customer record of a top 5 auto group, on a 5+ year continuous deployment, under the same security and TCPA controls IT and compliance teams expect from enterprise vendors. The page below is the documentation, written without the marketing fog.
The three certifications dealer-group IT and compliance ask about on every call.
SOC 2 Type II for the platform, TCPA for who Lisa is allowed to message, 10DLC for how the messages are carried. Below is what each one means for AutoEngage in practice — not a marketing summary.
SOC 2 Type II
Independent audit of our security, availability, and confidentiality controls. Type II report covers a continuous observation period and is available under MNDA.
Telephone Consumer Protection Act
Lisa only messages customers your dealership has the legal right to contact under TCPA, with consent and revocation tracked in the conversation record. Quiet-hours enforcement is built in.
A2P Messaging Registered
Branded SMS sender registration on the 10DLC framework, with carrier-approved campaign types. Each rooftop ships with its own registered brand and use case.
What Lisa sees, where it goes, how long it stays.
The honest version. Lisa operates inside the customer record your DMS already maintains. She doesn't collect data the dealership isn't already holding, and customer-identifiable records don't leave the integration boundary. Below is the full category and retention map.
Identity & contact
Name, mobile phone number, email address — sourced from your DMS customer record. Lisa never asks the customer for re-verification of contact details.
Vehicle & service history
VIN, year/make/model, mileage, OEM warranty status, prior service records, declined-services list — read from the DMS through the live integration.
Conversation transcripts
Inbound and outbound SMS messages between the customer and Lisa, plus message-level metadata (delivery status, response timing, intent classification).
Booking & handoff metadata
Appointments Lisa books into your DMS, advisor assignments, and the timestamp on any human handoff. Used for reporting and quality review only.
How long records stick around — and how they go.
Retained for the engagement
Customer records, conversation transcripts, and DMS-derived metadata are retained for the duration of the dealer's AutoEngage engagement, and as required to operate the eleven retention motions on each customer.
Deletion within 90 days
On engagement termination, all customer-identifiable data is deleted from active systems within 90 days unless a longer retention is required by law. Anonymized aggregate metrics may be retained indefinitely for benchmarking.
Per-customer deletion
Individual customer deletion requests are processed within 30 days of receipt by the dealer or by AutoEngage directly. The DMS record stays where it lives — with you.
STOP / opt-out is permanent
Any customer who replies STOP, UNSUBSCRIBE, or any TCPA-defined opt-out keyword is added to a permanent suppression list. Lisa will never message that number again, across any rooftop, even if a new dealer agreement is signed.
DMS systems Lisa integrates with.
Each integration below is contracted under that vendor's certified API surface and data-handling agreement, and is in scope for AutoEngage's SOC 2 audit boundary. Reviewed annually.
Where Lisa reads and writes customer data.
Each connects to your DMS through the vendor's certified API surface, carrying customer-identifiable data inside AutoEngage's SOC 2 audit boundary.
DMS integration platform for CDK Drive read/write. Fortellis is CDK's certified API surface; AutoEngage is a registered Fortellis partner.
Reynolds Certified Interface for ERA service-record read/write. AutoEngage is a certified RCI partner.
Direct DMS and scheduler integrations for Tekion, Cox Automotive DealerTrack, PBS, DealerBuilt (certified partner), and Xtime. Each is contracted under that vendor's API and data-handling agreement.
Documents your IT and legal teams will ask for.
The SOC 2 Type II report, the Data Processing Addendum (DPA), the current sub-processor list, and the security-questionnaire packet are all available on request under MNDA. We send the packet within one business day of an inbound request.
Use the contact form. We answer fast.
Select the compliance or vendor-security topic on the contact form and we'll route your request directly. The full packet — SOC 2 Type II, DPA, sub-processor list, security questionnaire — is sent within one business day.
Open the contact form →Then let's talk about your retention numbers.
30-minute walkthrough. We'll skip the security primer and go straight to the eleven retention motions and what your group's first-2-year recapture math looks like.
Request a demoHave a specific compliance or security question? Get in touch →