G
v1.0
TheGarageOS · Security

Security

Infrastructure, access controls, audit trails and incident response — how we keep workshop and customer data safe.

Last updated: June 12, 2026

1. Overview

Security is foundational to TheGarageOS — workshops trust us with job records, customer data, payment and insurance information, and per-job financials. This page describes the controls and practices we apply across our infrastructure, application and operations, designed around SOC 2 control objectives.

2. Infrastructure & Hosting

  • The platform runs on reputable cloud infrastructure providers with their own SOC 2 / ISO 27001 certifications.
  • Production environments are network-isolated from development and staging environments.
  • Infrastructure is provisioned via version-controlled configuration, with changes reviewed before deployment.
  • Automated backups are taken for production databases and tested on a regular schedule.

3. Encryption

  • Data in transit is encrypted using TLS 1.2 or higher for all client and API connections.
  • Data at rest — including databases and object storage for DVI photos and documents — is encrypted using industry-standard algorithms (AES-256 or equivalent).
  • Secrets and credentials are stored in dedicated secret-management systems, never in source code or plaintext configuration.

4. Access Control & Multi-Tenancy

TheGarageOS is built on a multi-tenant architecture with strict tenant isolation enforced at the data layer — every query and write is scoped to a tenant, preventing cross-tenant data access.

  • Role-based access control (RBAC) governs what each user can view or modify within a tenant — from front-desk staff to workshop owners.
  • Internal employee access to production systems is limited to those who require it, follows least-privilege principles, and is reviewed periodically.
  • Production access by internal staff requires multi-factor authentication (MFA).
  • Customers are encouraged to enforce MFA and strong password policies for their own staff accounts; SSO (SAML/OIDC) is on the Enterprise roadmap.

5. Audit Trails

Every job status transition, quote approval, invoice change, payment, inventory adjustment and permission change is recorded in an append-only audit trail, tied to the acting user and timestamp. This gives workshop owners and our support team a complete, tamper-evident history of what happened and who did it.

6. Application Security

  • All code changes go through peer review before merging to production branches.
  • Dependencies are monitored for known vulnerabilities and updated on a regular cadence.
  • Input validation and authorization checks are enforced at the API layer for every state-changing operation, consistent with the platform's finite-state-machine model for jobs.
  • We perform periodic security testing of the application, including reviews of authentication, authorization and tenant-isolation logic.

7. Payments & Financial Data

Card payment processing is handled by PCI-DSS compliant third-party payment processors — TheGarageOS does not store raw card numbers. Insurance-split invoicing and per-job financial data are stored within the tenant-isolated data model described above and are subject to the same encryption and access controls as other Customer Data.

8. Monitoring & Incident Response

  • Production systems are monitored for availability, performance and anomalous activity.
  • We maintain a documented incident response process covering identification, containment, eradication, recovery and post-incident review.
  • In the event of a security incident affecting Customer Data, affected Customers will be notified without undue delay, with details of impact and remediation steps, consistent with our Privacy Policy and applicable law.

9. Sub-processors

We rely on a limited set of sub-processors for core infrastructure — cloud hosting, object storage, email/SMS delivery and payment processing. Each is contractually bound to confidentiality and data-protection obligations consistent with this policy. A current list of sub-processors is available to Enterprise customers on request.

10. Reporting a Vulnerability

If you believe you've found a security vulnerability in TheGarageOS, please report it to [email protected]. We ask that you give us a reasonable opportunity to investigate and address the issue before any public disclosure, and that you do not access or modify data belonging to other tenants while testing.

11. Compliance Roadmap

Our controls are designed in alignment with SOC 2 Type II principles. Formal certification, alongside SSO and advanced audit export tooling, is part of the Enterprise roadmap — Enterprise customers can request current compliance documentation and timelines from our sales team.