Every framework a modern boat dealership needs, audited and maintained. No asterisks, no coming-soons without dates.
Audited annually by a Big-Four-aligned firm. Covers security, availability, confidentiality, and processing integrity. Latest report available under NDA.
Full data-subject rights, DPA on file, EU representative assigned. Data subject requests fulfilled within 30 days.
California privacy rights supported: access, deletion, correction, portability, opt-out of sale (we never sell). Honor Global Privacy Control signal.
Consent capture on every SMS, phone, and chat touchpoint. Double opt-in for marketing. Signed consent logs retained for 7 years.
For dealers handling maritime health documentation (e.g., captain medical cards). BAA on request.
Compliant electronic signatures across bills of sale, loan applications, title transfers. Tamper-evident audit trail per signature.
TLS 1.3 in transit. AES-256 at rest across every database, object store, and backup. Keys rotated every 90 days.
Four built-in roles: dealer principal, manager, technician, sales. Every permission is scoped by location and hull. SSO + SAML on Harbor and Fleet tiers.
Every read, write, export, and print is logged with actor, timestamp, and purpose. Exportable to your SIEM via webhook or SFTP.
All customer data stored in US-east-1 and US-west-2 (warm replica). EU data residency option available Q3 2026 for European dealers.
AWS multi-region, automatic failover, read-replicas warm in a second region. When something breaks, you'll hear from us before you notice.
Every employee undergoes a criminal-background check and signs a confidentiality agreement prior to day one.
Third-party offensive-security firm hits our surface area every 90 days. Summary report available under NDA.
Payouts up to $10,000 for critical vulnerabilities via HackerOne. Over $47k paid out to date.
Vulnerabilities disclosed to security@boater.os are triaged within 24 hours. We publish advisories once patches ship.
We publish every vendor with access to customer data. We notify 30 days before adding a new one.
Our SOC 2 Type II certification covers security, availability, confidentiality, and processing integrity. We undergo a full audit every 12 months with the report made available to qualified enterprise customers under an NDA.
The report documents our controls across access, data encryption, change management, and incident response. We also make a one-page attestation letter available to all customers on request.
We are fully GDPR compliant. All European customers and their end-customers (boat buyers, service leads) benefit from data-subject rights: access, rectification, erasure, portability, and restriction of processing.
We maintain a Data Processing Addendum (DPA) with all customers handling EU resident data. The DPA is available to any customer who needs it — no enterprise tier required. We also maintain an EU representative under GDPR Article 27 to handle data-subject requests directly.
Data-subject requests are processed within 30 days. You can submit requests on behalf of your customers, or we can field them directly.
All four CCPA consumer rights are available to your customers — boat buyers, leads, and service clients in California.
Note: We never sell consumer data. The opt-out right is honored regardless. All responses include the specific data categories we collected and the categories of third parties who accessed it.
Triage within 24 hours. PGP key available on request.
DPA, SOC 2 report, pen-test summary, vendor questionnaires.