Encryption
AES-256-GCM at rest. TLS 1.3 in transit. AWS-grade KMS for application secrets and provider credentials. Database backups are encrypted with separate keys.
Security and Compliance
Built for shops that take customer data seriously.
Encryption, authentication, and data residency built in. The technical detail is here for your IT person or your MSP. Talk to us if you have a specific compliance requirement and we will get it answered.
Security pillars
Technical posture
The technical posture, in plain terms.
Authentication
Sign in with Apple and Firebase Auth for shop staff. Magic-link sign-in for customers. No passwords are stored — we never have a password database to leak.
Data residency
US-only. Every tenant’s primary database lives in a US data center on Cloudflare D1. We don’t replicate CollisionLoop customer data outside the US.
Compliance
Where we are on compliance.
What we have, what is in progress, and what is out of scope.
SOC 2 Type II
In progress
Type I report expected Q3 2026. Type II report expected Q4 2026. Both will be available under NDA to Pro+ and Enterprise customers.
GDPR / CCPA
Compliant
Customer data deletion on request, data export on request, and a documented Data Processing Addendum available for customers handling EU or California residents.
HIPAA
Not in scope
Collision shops do not handle protected health information. If your shop serves a population where this changes, talk to us — we will scope it.
Security questions
Frequently asked
Security questions
Where is customer data physically stored?
In the United States. The primary database for every CollisionLoop tenant lives in a US data center on Cloudflare D1 (Eastern North America region). We do not replicate or store CollisionLoop customer data outside the US.
How are payment credentials protected?
We never see your full Stripe secret or Square access token in plaintext. Provider credentials are encrypted with AWS-grade KMS at the application layer before they hit the database. Card data itself is tokenized by Stripe and Square and never touches our infrastructure.
Can I delete a customer’s data on request?
Yes. Any customer record (and the repair orders, photos, and payment events attached to it) can be deleted from the dashboard. Deletion is propagated to backups within 30 days per our retention policy. We will provide a deletion certificate on request.
Do you do penetration testing?
Yes. We run an annual third-party penetration test starting in Q3 2026, in addition to continuous automated scanning. Test results are available under NDA on the Pro+ plan and to Enterprise customers.
What happens if there is a breach?
We have a documented incident response plan that includes customer notification within 72 hours for any incident affecting your data, root-cause analysis within 14 days, and a remediation plan. Enterprise customers get a dedicated breach contact and SLA-backed notification.
Can I export my data?
Yes. Full CSV export of repair orders, customers, vehicles, and payment events is available from the dashboard. API export of the same data is available on Pro+. There is no charge for export and no lock-in.
Talk to our team about your specific compliance needs.
If you are a multi-location group, an insurer DRP partner, or a fleet operator with a procurement checklist, we will work through it with you directly.