Updated 2026-06-08
CARMA runs on cloud infrastructure (AWS, Cloudflare, and our managed Postgres provider) that maintains SOC 2 Type II and ISO 27001 attestations. CARMA's own SOC 2 program is in progress; current status is available on request.
All traffic is encrypted in transit with TLS 1.2+. Workspace data is encrypted at rest with AES-256 by our hosting provider.
Each dealership workspace is logically isolated. Row-level security policies in the database prevent cross-tenant access at the data layer.
Role-based access inside the workspace, single sign-on for staff accounts, and least-privilege internal access for CARMA personnel. Production access is restricted to named engineers under audit logging.
Workspace data is stored in the United States. We retain data for the life of your subscription and a 30-day export window after cancellation, then delete. Consumer deletion requests are honored within 30 days.
Our subprocessor list (cloud host, telephony, email) is available on request to legal@carmaloop.ai. A Data Processing Addendum is available for signature before any production data is loaded.
TCPA: quiet-hour enforcement per consumer time zone, STOP and HELP keyword handling, and per-lead consent logging are enforced in the messaging layer. CAN-SPAM: every email carries a working unsubscribe link. CCPA and CPRA: consumer rights requests can be filed at privacy@carmaloop.ai.
We respond to SIG Lite and CAIQ Lite questionnaires within five business days. Email security@carmaloop.ai.
Email security@carmaloop.ai. We acknowledge within one business day and assign a severity within five.