Company/Security & Trust
◆ Trust Center

Built like a bank. Priced like software.

Your dealership stores customer PII, loan applications, driver's licenses, bank statements, and hundreds of millions in vessel value. We treat that data the way regulated financial institutions do — and publish how.

  • SOC 2 Type II audited annually
  • End-to-end encryption · TLS 1.3 + AES-256
  • Data residency in US (EU option Q3 2026)
  • 24/7 security monitoring + on-call rotation
Request our SOC 2 report Read our DPA
Certifications & compliance

The alphabet soup, covered.

Every framework a modern boat dealership needs, audited and maintained. No asterisks, no coming-soons without dates.

SOC 2 Type II

Audited annually by a Big-Four-aligned firm. Covers security, availability, confidentiality, and processing integrity. Latest report available under NDA.

GDPR

Full data-subject rights, DPA on file, EU representative assigned. Data subject requests fulfilled within 30 days.

CCPA / CPRA

California privacy rights supported: access, deletion, correction, portability, opt-out of sale (we never sell). Honor Global Privacy Control signal.

TCPA

Consent capture on every SMS, phone, and chat touchpoint. Double opt-in for marketing. Signed consent logs retained for 7 years.

HIPAA-ready

For dealers handling maritime health documentation (e.g., captain medical cards). BAA on request.

E-Sign Act

Compliant electronic signatures across bills of sale, loan applications, title transfers. Tamper-evident audit trail per signature.

How we handle your data

Four principles, applied without exception.

Encryption

TLS 1.3 in transit. AES-256 at rest across every database, object store, and backup. Keys rotated every 90 days.

Role-based access

Four built-in roles: dealer principal, manager, technician, sales. Every permission is scoped by location and hull. SSO + SAML on Marina and Fleet tiers.

Audit logging

Every read, write, export, and print is logged with actor, timestamp, and purpose. Exportable to your SIEM via webhook or SFTP.

Data residency

All customer data stored in US-east-1 and US-west-2 (warm replica). EU data residency option available Q3 2026 for European dealers.

Uptime & reliability

99.98% uptime, last 90 days.

AWS multi-region, automatic failover, read-replicas warm in a second region. When something breaks, you'll hear from us before you notice.

status.boater.os
All systems operational
LAST 90 DAYS
99.98%
90d ago 1 minor incident · 7min elevated latency today
Security practices

What we do between audits.

Background-checked employees

Every employee undergoes a criminal-background check and signs a confidentiality agreement prior to day one.

Quarterly penetration tests

Third-party offensive-security firm hits our surface area every 90 days. Summary report available under NDA.

Bug bounty program

Payouts up to $10,000 for critical vulnerabilities via HackerOne. Over $47k paid out to date.

Responsible disclosure

Vulnerabilities disclosed to security@boater.os are triaged within 24 hours. We publish advisories once patches ship.

Sub-processors

Who touches your data, and why.

We publish every vendor with access to customer data. We notify 30 days before adding a new one.

Vendor Purpose Region
Amazon Web Services Hosting, storage, databases US-east-1, US-west-2
Stripe Payments, Terminal, deposits US
Twilio SMS, voice, TCPA consent log US
Anthropic AI Companion, listing copy, comparisons US (no training on your data)
Plaid Finance pre-approval, bank linking US
Sentry Error monitoring US
Fivetran ETL for dealer-side warehouse syncs US
Snowflake Analytics warehouse (aggregate only) US
Report a vulnerability

security@boater.os

Triage within 24 hours. PGP key available on request.

Compliance requests

compliance@boater.os

DPA, SOC 2 report, pen-test summary, vendor questionnaires.

◆ Next step

The safest place to run your dealership.

Talk to our Head of Compliance. 30 minutes, your questions, our answers, all on the record.

Book a demo Read our privacy policy