Security and Compliance
Quikdealer is built for independent auto dealers handling finance data, signatures, and identity documents. This page summarizes the operational controls in place for production.
Security contact: security@quikdealer.com
Access Control
- Multi-factor authentication is mandatory for all staff.
- RBAC is scoped per dealership and backed by per-command Postgres RLS isolation.
- Application tokens stay in HttpOnly cookies and flow through the BFF proxy.
Data Protection
- Tenant-scoped pgcrypto encryption protects driver's licences and integration secrets.
- Audit logs are append-only, hash-chained, and sealed daily with a signing key.
- Customer-facing documents render bilingual or French-first for Quebec tenants.
Monitoring
- Application liveness and readiness are separated through /healthz and /readyz.
- OFAC data refreshes daily and alerts when the list is stale.
- Sentry alerts cover worker failures and unhealthy syndication channels.
Control Cadence
| Access review | Monthly for internal accounts; on request for dealerships |
|---|---|
| Secret rotation | On incident, privileged departure, or vendor change |
| Backups | Daily with daily and monthly retention |
| Audit verification | Daily seal; full verification on regulator export |