Security Policy
| Document Owner | Chief Technology Officer |
| Version | 2 |
| Effective Date | April 1, 2026 |
| Last Reviewed | April 1, 2026 |
| Next Review | one year from effective date |
| Classification | External — Shareable with Dealership Clients under NDA |
1. Scope
This Policy applies to:
- All Carbuki personnel, contractors, and systems
- All data processed through Carbuki's platform, including consumer data handled on behalf of dealership clients
- All third-party subprocessors used in delivering Carbuki's services
2. Security Governance
2.1 Ownership
Security governance at Carbuki is owned by the CTO. Policies are reviewed at minimum annually, or following a material security incident, significant architectural change, or change in regulatory requirements.
2.2 Access Governance
Access to systems and data is granted on a need-to-know, least-privilege basis. Access rights are:
- Assigned by role and job function
- Reviewed when roles change or employment ends, and reviewed comprehensively at least every six months
- Revoked promptly upon departure or role change
3. Data Classification
Carbuki processes the following categories of data on behalf of dealership clients:
| Category | Examples | Handling |
|---|---|---|
| Consumer Contact Information | Name, phone, email, address | Encrypted at rest and in transit; access restricted by role |
| Vehicle Information | VIN, make/model, service history | Encrypted at rest and in transit |
| Call Audio and Transcripts | Recorded calls, AI-generated transcripts | Encrypted at rest; retention per Section 9 |
| Campaign and Inquiry Metadata | Lead source, engagement timestamps | Encrypted at rest |
| Aggregated/Anonymized Reporting | Performance metrics, trends | Anonymized prior to retention |
Carbuki does not collect, store, or process the following categories in the normal course of service: Social Security Numbers, driver's license numbers, financial account numbers, payment card data, or credit application data. If a dealership integration would require Carbuki to handle any of these categories, a separate data processing addendum is required.
4. Access Control
| Control Domain | Current Practice | Status |
|---|---|---|
| Authentication | Unique credentials required for all system access; SSO required where supported | Enforced |
| Password Policy | Minimum 14-character passwords; password manager required for all employees | Enforced |
| Multi-Factor Authentication | MFA required for all production system, cloud console, and SaaS admin access | Enforced |
| Role-Based Access Control | Access scoped to job function; engineers do not have access to dealership-facing production data by default | Enforced |
| Privileged Access | Admin/root access limited to the CTO and designated engineers; all privileged actions logged and audited | Enforced |
| Access Revocation | Privileged access revoked within 1 hour of termination notice; standard access revoked within 24 hours and same-business-day for involuntary terminations | Enforced |
| Periodic Access Review | All access reviewed at least every 6 months by the CTO | Enforced |
5. Data Protection
5.1 Encryption
| Control Domain | Current Practice |
|---|---|
| Encryption in Transit | TLS 1.2 or higher for all data transmitted between systems, APIs, and users. TLS 1.3 preferred. Modern cipher suites only; no support for deprecated protocols (SSLv3, TLS 1.0/1.1) |
| Encryption at Rest | AES-256 encryption for all production data stores, including databases, object storage, and backups |
| Call Recording Storage | Call audio and transcripts stored using AES-256 encryption; access restricted to authorized Carbuki personnel and the originating dealership |
| Key Management | Encryption keys managed via AWS KMS; keys stored separately from encrypted data; key rotation performed at least annually |
5.2 Data Isolation
- Each dealership client's data is logically isolated through tenant identifier enforcement at both the application and database layers. Cross-tenant data access is prevented by design and verified through automated testing.
- Production and development/testing environments are fully segmented, with separate credentials, networks, and data stores. Production data is not copied to non-production environments; synthetic or anonymized data is used for testing.
5.3 Secure Deletion
"Secure deletion" throughout this Policy refers to data destruction methods consistent with NIST SP 800-88 Guidelines for Media Sanitization, including cryptographic erasure for cloud-hosted data and overwrite or physical destruction for any local media.
6. AI Systems and Voice Technology
Carbuki operates AI-driven voice and conversational systems. The following controls apply specifically to those systems:
| Control Domain | Current Practice |
|---|---|
| LLM Provider Data Use | Carbuki uses Gemini under enterprise terms that prohibit training on Carbuki or dealership data. No customer data is used to train third-party models. |
| Voice Synthesis | ElevenLabs is used for text-to-speech only. No consumer PII is sent to ElevenLabs; only generated agent script text is processed. Voice models used are licensed for commercial use. |
| Prompt Injection Defenses | System prompts and user-supplied content are isolated; production prompts are versioned and reviewed prior to deployment |
| Hallucination and Accuracy Controls | AI agents operate from approved scripts and knowledge bases; out-of-scope queries are escalated rather than answered speculatively |
| Human Escalation | Calls can be escalated to a human representative on consumer request or upon detection of sensitive scenarios (complaints, legal threats, vulnerable callers) |
| Disclosure | AI agents identify themselves as automated systems at call start, consistent with applicable state AI disclosure laws |
| Call Recording Consent | Recording disclosure provided at call start; calling practices configured to comply with all-party-consent state requirements |
7. Compliance and Certifications
| Framework | Current Practice | Status |
|---|---|---|
| SOC 2 Type II | Audit of trust service criteria: Security, Availability, Confidentiality | In progress, target completion Q4 2026 |
| CCPA / CPRA | Controls aligned to California consumer privacy requirements; consumer rights request process documented in the Privacy Policy | In place |
| GLBA Support | Safeguards designed to support dealership clients' GLBA Safeguards Rule obligations as a service provider | In place |
| TCPA Support | Outbound calling controls described in Section 6 and Section 8; certification of consent and DNC compliance is the dealership's responsibility under contract | In place |
7.1 Consumer Rights Requests
Carbuki supports dealership clients in responding to consumer requests under CCPA/CPRA and analogous state laws, including requests for access, deletion, and opt-out of sale/sharing. Carbuki acts as a service provider and does not sell consumer data. Requests are processed within statutory timeframes. Full details are available in the Carbuki Privacy Policy at https://carbuki.com/privacy.
8. TCPA and Telephony Compliance Controls
While certification of consent and DNC list compliance is the dealership's contractual responsibility, Carbuki provides the following technical controls to support dealership compliance:
- DNC list scrubbing supported via integration with internal DNC database
- Time-of-day calling restrictions enforced by recipient area code (default 8am–9pm local time, configurable per dealership within statutory limits)
- Per-campaign frequency caps to prevent over-contacting
- Consent metadata capture and audit trail at the lead-record level
- Call recording disclosure prompts configurable per state requirement
- Immediate honoring of in-call opt-out requests with propagation to all active campaigns
9. Secure Development
- Material changes to customer-facing systems require review and approval by the CTO or designated engineering lead before deployment
- Developers follow secure coding practices aligned with the OWASP Top 10; all code changes require peer review before merging to production
- Dependencies are scanned for known vulnerabilities as part of the CI/CD workflow; high and critical findings block deployment
- Independent third-party penetration testing performed at least annually; results and remediation status available to dealership clients under NDA
- Static application security testing (SAST) and software composition analysis run on every pull request
10. Incident Response
10.1 Process
Carbuki maintains a documented incident response process covering:
- Detection and classification of potential security events
- Containment, investigation, and remediation
- Post-incident review and documented lessons learned
- Tabletop exercises conducted at least annually
10.2 Notification
In the event of a security incident reasonably believed to involve dealership client data or consumer personal information:
- Carbuki will notify affected dealership clients within 72 hours of becoming aware of the incident
- Initial notification will include: nature of the incident, data categories affected, estimated scope, containment actions taken, and known remediation steps
- Carbuki will provide updates as the investigation progresses and a post-incident summary upon closure
- Carbuki will cooperate with the dealership's own incident response and regulatory notification obligations, including any applicable state breach notification laws, GLBA Safeguards Rule notification, and FTC reporting requirements
10.3 Point of Contact
Security incidents and concerns should be reported to:
- Email: security@carbuki.com
- Subject Line: [SECURITY INCIDENT] — Carbuki
- Response SLA: Acknowledgment within 4 business hours; substantive response within 24 hours
11. Vendor and Subprocessor Management
Carbuki evaluates third-party vendors and subprocessors before engagement and limits their access to what is reasonably necessary. Material changes to the subprocessor list are communicated to dealership clients with reasonable advance notice.
| Vendor | Role | Security Posture | Data Touched |
|---|---|---|---|
| Twilio | Voice/SMS telephony routing | SOC 2 Type II, ISO 27001 | Phone numbers, call audio in transit |
| ElevenLabs | AI voice synthesis (TTS) | Enterprise security controls; SOC 2 Type II | Agent script text only (no consumer PII) |
| Gemini | Conversational AI | SOC 2 Type II; enterprise no-training terms | Conversation context (no persistent storage) |
| AWS | Platform infrastructure | SOC 2 Type II, ISO 27001, PCI DSS | All platform data at rest |
| AWS | Application error tracking | SOC 2 Type II | Application metadata (PII scrubbed) |
| xtime/mykaarma | Dealership data sync | Per integration | Consumer contact and vehicle data |
A complete and current subprocessor list is available to dealership clients upon request under NDA.
12. Data Retention and Disposal
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Call recordings | 90 days default; configurable per dealership | Secure deletion (NIST SP 800-88) |
| Call transcripts | 12 months | Secure deletion |
| Campaign contact lists | Duration of engagement + 30 days | Secure deletion |
| Website inquiry data | 12 months | Secure deletion |
| Aggregate reporting | 24 months (anonymized) | Retained anonymized |
| System and access logs | 12 months | Secure deletion |
| Backups | 30 days rolling | Secure deletion |
Upon termination of a dealership engagement, all client data is deleted within 30 days unless a longer retention period is required by law or contractually agreed.
13. Personnel Security
13.1 Employee and Contractor Responsibilities
- Protect credentials and never share passwords or access tokens
- Use only approved systems and processes for handling company or client data
- Report suspected security incidents or vulnerabilities promptly to the CTO at security@carbuki.com
- Follow applicable policies; written acknowledgment required upon onboarding and annually thereafter
- Background checks conducted on all employees and contractors with access to production systems, consistent with applicable law
13.2 Training and Awareness
- Security awareness training required during onboarding and at least annually thereafter via KnowBe4
- Quarterly phishing simulations
- Periodic reminders on phishing, credential hygiene, and data handling
- Role-specific training for engineers on secure coding practices
14. Physical Security and Endpoint Management
- Unauthorized physical access to work environments and equipment is restricted
- Remote work follows the same security standards as in-office access; use of public Wi-Fi requires VPN
- Lost or stolen devices must be reported to the CTO immediately for remote wipe and credential rotation
- Personal devices (BYOD) are not permitted to access production systems or store dealership data
15. Business Continuity and Disaster Recovery
- Critical data backed up daily with 30-day rolling retention
- Backups stored in a separate region from primary data stores
- Backup integrity tested quarterly through restoration exercises
- Recovery objectives for core platform services:
- RTO (Recovery Time Objective): 8 hours
- RPO (Recovery Point Objective): 1 hour
- Disaster recovery plan reviewed and tested at least annually
16. Policy Review and Change Management
This Policy is reviewed at minimum annually and updated to reflect changes in operations, technology, or legal requirements. Material changes will be communicated to dealership clients with at least 30 days' advance notice where practicable. A version history is maintained and prior versions are available upon request.
17. Contact
| Purpose | Contact |
|---|---|
| Security incidents | security@carbuki.com — Subject: [SECURITY INCIDENT] — Carbuki |
| Vendor assessments and security questionnaires | security@carbuki.com — Subject: Vendor Assessment |
| General security policy inquiries | security@carbuki.com — Subject: Security Policy Inquiry |
| All other inquiries | support@carbuki.com |
This document represents Carbuki's security posture as of the Effective Date. It is provided for the information of dealership clients and prospective clients under NDA and does not create contractual obligations except as incorporated by reference into a signed agreement.