Security & Data Protection
Your dealership's data, locked down.
Deals, credit applications, customer records and trade files are some of the most sensitive data a dealership holds. Here's exactly how MarketSync protects it — in plain language.
Encrypted in transit
Every request between your browser, our app and the database runs over TLS (HTTPS). Nothing moves in the clear.
Field-level encryption
The most sensitive fields — SIN/SSN and date of birth on credit apps, plus any vendor credentials — are encrypted with AES-256-GCM before they're stored, on top of the database's own at-rest encryption.
Per-dealership isolation
Every record is scoped to your store. One dealership can never see another's inventory, customers, deals or numbers.
Role-based access
Owners, managers and salespeople see only what their role allows. Gross, commissions and store-wide numbers stay with management.
Audited sensitive access
Whenever an encrypted SIN or DOB is revealed, we log who did it and when — so there's an accountability trail on the data that matters most.
Payments handled by Stripe
Card details go straight to Stripe (PCI-DSS Level 1). MarketSync never sees or stores a card number.
Sensitive personal information
Credit applications require the most sensitive data a customer will ever hand you. On MarketSync, the SIN/SSN and date of birth are encrypted with AES-256-GCM using a dedicated encryption key that is separate from the database, so a database copy alone can't reveal them. The system fails closed: if the encryption key isn't present, MarketSync refuses to store the data rather than save it unprotected. In the interface these fields are masked, and revealing one is explicitly logged.
Consent, captured
A credit application can't move to a lender without the customer's authorization on record. MarketSync timestamps that consent so there's a clear record before any credit is pulled.
Integrations you control
When you connect a tool — QuickBooks, Xero, Twilio, a webhook — you authorize it, and you can disconnect it any time. Access tokens are stored encrypted. Outbound webhooks are signed with an HMAC-SHA256 signature so the receiving system can verify the message genuinely came from MarketSync and wasn't tampered with. You choose which events flow out.
Infrastructure & availability
MarketSync runs on managed cloud infrastructure with encryption at rest on the database and regular automated backups. Application servers and the database are operated by established providers with their own physical and network security controls.
Privacy & compliance
We build to align with Canadian privacy law (PIPEDA) and applicable provincial regulations, and we're actively hardening our controls toward formal SOC 2 readiness. We're happy to walk security-conscious dealer groups through our current posture — just reach out.
Report a security issue
Found something that looks off? We want to hear about it. Email our team and we'll respond quickly. Please give us a reasonable window to investigate and fix before any public disclosure.
security@marketsync.link