Security

Tenant isolation.
Audit-defensible by design.

Tow yards hold liens worth thousands per vehicle, photographs admissible in court, and personally identifiable information for every owner. towyardIQ is engineered for what that responsibility actually requires — not just “encryption in transit.”

Isolation

Your yard's data, walled off.

Every customer's data lives in its own walled-off space. Your dispatch board, your photos, your release records, your owner contacts — another tow yard cannot see any of them, ever. This isn't a setting you have to remember to flip on. It's enforced at the data layer, automatically, on every single read and write.

  • Customer data isolated at the database level — never mixed
  • Each yard gets its own users, integrations, and settings
  • Bring your own AI keys if you'd rather pay your own provider directly
  • No human at towyardIQ can read your data without an active support ticket from you

Layered defense

Multiple, independent safeguards between your data and an attacker.

  • Customer data isolated — one yard cannot see another's
  • Role-based permissions — owner, dispatcher, driver, clerk
  • Every public form spam-protected and rate-limited
  • Login attempts monitored and rate-limited
  • Industry-standard encryption everywhere
  • Full activity log on every change — nothing happens silently

Data handling

  • Encrypted in transit and at rest — industry-standard
  • Daily backups · 30-day retention · restore in minutes
  • Photos stored separately for each yard, never co-mingled
  • Personal info tagged so it can be exported or deleted on request
  • Right-to-delete workflow built in (GDPR / CCPA)
  • Data hosted in the U.S. by default · EU available on request
Data

Your data is yours.

You can export your full data set any time — CSV, JSON, or a complete archive including audit logs, photos, and every generated document. There's no penalty if you leave. We're confident enough in the platform that we don't need a contractual moat to keep you.

Audit

Every change is recorded. Every release is defensible.

Field-level Change Log

Old → new values for every mutation. User, timestamp, IP, and reason captured automatically. Clickable entity links from the audit log to the live record.

Photo Chain-of-Custody

Every photo timestamped at upload, geo-tagged when permitted, and hashed. Tampering invalidates the hash. Defensible in dispute proceedings.

Notice & Mail Tracking

Every certified mailer has its USPS tracking number recorded against the vehicle. Return receipts auto-attached. Legal record stays even after vehicle is sold.

Release Audit Trail

Who released the vehicle, when, with what documents, what payment method, and what photos signed for. Complete record per release.

AI Usage Log

Every AI call logged: which model, which prompt, which org, which user, which result. AI is auditable, not a black box.

Failed-Login Tracking

Failed-login attempts surfaced to org admins. IP-based rate limiting with auto-lockout after threshold.

Compliance posture

Built for the standards
your auditor will ask about.

SOC 2 Type II controls in operation today; formal report scheduled. State-specific data-handling rules for tow industry already encoded.

SOC 2 Type II controls (report Q3 2026)
GDPR · right-to-access & delete
CCPA · CA consumer privacy
PCI DSS via Stripe (no card data stored)
CJIS-aware (police rotation data)
HIPAA-aware design (medical certs)
AICPA · aligned audit posture
Per-state retention rules pre-loaded
Annual penetration test · third-party

Have a question your auditor needs answered?

SOC 2 questionnaire response (SIG Lite, CAIQ, or custom framework) available on request once we open the pilot. Coming soon.