Security & Trust
Security, infrastructure, access control, reliability, and incident reporting information for Autopilot services.
Autopilot is designed to help dealerships manage operational workflows, customer information, deal activity, reporting, and related business processes. We take the security and reliability of that information seriously.
This page summarises the security practices, infrastructure providers, and operational controls we use to protect Autopilot. It is intended as a practical overview, not as a complete technical specification or contractual commitment.
Last updated: 23 June 2026
Security overview
Autopilot uses managed cloud infrastructure, role-based access controls, and established service providers to help protect customer information.
Our approach is based on a few core principles:
- limit access to customer information to authorised users and personnel;
- support multi-factor authentication for accounts where enabled;
- use trusted infrastructure providers for hosting, database, authentication, storage, email, billing, and related services;
- protect data in transit using HTTPS/TLS;
- rely on provider-backed redundancy, monitoring, and backup capabilities where available; and
- disclose the third-party providers that may process customer information.
Infrastructure
Autopilot is hosted using established cloud and infrastructure providers.
Core Autopilot services may use providers including:
- Vercel for hosting, deployment, edge network, observability, and related infrastructure;
- Supabase for managed database, authentication, storage, APIs, and backend services;
- Resend for transactional email delivery;
- Stripe for billing, subscriptions, invoicing, tax, and payment-related services; and
- Anthropic for user-requested AI features where enabled.
Infrastructure providers maintain their own security, operational, and resilience programs. Additional information about providers that may process customer information is available on the Subprocessors page.
Autopilot may also use internal operations and support providers for support, engineering, incident response, administration, and operational workflows.
More detail about providers that may process customer information is available on the Subprocessors page.
Data protection
Autopilot uses HTTPS/TLS to protect data transmitted between users and Autopilot services.
Customer information is stored and processed using managed infrastructure providers that provide security, access control, redundancy, and backup capabilities as part of their services. The exact information processed depends on the Autopilot features a customer uses, the customer's configuration, and the information users choose to enter into Autopilot.
Autopilot does not use customer information submitted through Autopilot to train public AI models.
Customers are responsible for deciding what information they enter into Autopilot and for ensuring they have the rights, notices, and permissions needed for that use.
Customer data segregation
Autopilot is designed to separate customer information between dealerships and customer accounts through application-level access controls, permissions, and tenancy boundaries.
Autopilot also uses database-level access controls, including Supabase Row Level Security policies, to help enforce access boundaries between users, dealerships, accounts, and permissions where applicable.
Access to customer information is intended to be limited to authorised users associated with the relevant dealership or account, subject to administrative, support, security, and operational requirements.
Access controls
Autopilot includes user access controls intended to limit access to information based on a user's account, dealership, role, permissions, and enabled features.
Authentication and user management are provided through Autopilot and Supabase. Production system access is restricted to authorised personnel and is granted on a least-privilege basis where reasonably practicable.
Autopilot personnel may access customer information where reasonably necessary to provide support, investigate issues, maintain the service, respond to incidents, or meet legal or operational obligations.
Backups and reliability
Autopilot relies on managed infrastructure providers, including Supabase and Vercel, for hosting, database, storage, redundancy, and service reliability capabilities.
Provider-backed redundancy and backup capabilities help support continuity of service and recovery from operational issues. This page does not create a service-level commitment unless a separate written agreement says otherwise.
Subprocessors
Autopilot uses third-party providers to help provide, secure, support, and improve the service.
These providers may process customer information for purposes such as hosting, database services, authentication, email delivery, billing, AI features, support, maintenance, incident response, and internal operations.
The current list of providers is available on the Subprocessors page.
Security incidents
If Autopilot becomes aware of a security incident affecting customer information, we will assess the incident and take appropriate steps based on the nature of the incident, the information involved, applicable law, and any relevant customer agreement.
Where notification is required, Autopilot will notify affected customers or users in accordance with applicable legal and contractual obligations.
Responsible disclosure
If you believe you have found a security vulnerability in Autopilot, please report it to Autopilot using the contact details below.
Please include enough information for us to understand and reproduce the issue, such as affected URLs, steps to reproduce, screenshots, logs, or relevant technical details.
We ask that researchers act in good faith and avoid:
- accessing, modifying, deleting, or exfiltrating customer information;
- disrupting Autopilot services;
- attempting social engineering, phishing, spam, or physical attacks; or
- publicly disclosing a vulnerability before Autopilot has had a reasonable opportunity to investigate and respond.
Contact
For security, privacy, or trust questions, please contact your usual Autopilot representative.
Security reports may also be sent to: