← All legal documents

Information Security Policy

Birdseye Views, Inc. — a Delaware corporation. Last updated: June 29, 2026 · v1.0

This policy summarizes the security practices we use to protect the Service and the data entrusted to us. It describes our current-state controls. Where a control is planned but not yet in place, we say so explicitly in the Roadmap section below — we do not claim controls we have not implemented.


Hosting and infrastructure

The Service is hosted on Amazon Web Services (AWS) in the United States (region `us-east-2`). We rely on AWS's physical and environmental security for the underlying data centers and manage our application, data, and access layers on top of that infrastructure.

Encryption

  • In transit: all traffic between users and the Service is encrypted using TLS 1.2 or higher.
  • At rest: data stored in our managed database and object storage is encrypted at rest.

Authentication and access control

  • User authentication is handled by a dedicated identity provider, and multi-factor authentication (MFA) is supported and recommended for all accounts.
  • Access within the Service is governed by role-based access control (RBAC) and the principle of least privilege.
  • The Service is multi-tenant with logical tenant isolation: queries and operations are scoped to the requesting tenant on the server, so one Customer cannot access another Customer's data.
  • Administrative and infrastructure access is limited to authorized personnel who need it, and credentials and secrets are managed through secure configuration and secret storage — never committed to source code.

Application and network security

We follow secure development practices, validate input at system boundaries, and design server entry points to enforce authorization by default (deny-by-default). Server-only secrets are kept out of client code and the browser bundle. We use reputable, maintained dependencies and monitor for known vulnerabilities.

Logging and monitoring

We capture application and access logs to support troubleshooting, security monitoring, and investigation of suspicious activity.

Backups and resilience

Customer data in our managed database is backed up on a regular basis to support recovery in the event of data loss, consistent with our hosting provider's capabilities.

Vulnerability and patch management

We track security advisories for our dependencies and platform and apply updates and patches in a timely, risk-based manner.

Vendor and sub-processor oversight

We engage a limited set of sub-processors to operate the Service and require them, by contract, to maintain appropriate safeguards and to use data only to provide services to us. The current list, with purposes and locations, is maintained in our Data Processing Addendum.

FTC Safeguards Rule (GLBA) Alignment

Automotive dealers are generally "financial institutions" under the Gramm-Leach-Bliley Act, and Birdseye Views acts as a "service provider" under the FTC Safeguards Rule when it accesses customer information on a dealer's behalf. We maintain administrative, technical, and physical safeguards designed to protect that information — including encryption, access controls, and multi-factor authentication for access to systems holding customer information — and we reflect these commitments in our customer agreements.

Incident response and breach notification

We maintain an incident-response process for identifying, investigating, and responding to security events. In the event of a personal data breach affecting Customer Data, we will notify affected Customers without undue delay and cooperate as set out in our Data Processing Addendum, consistent with applicable law.

Data segregation, retention, and deletion

Customer Data is logically segregated by tenant. On termination, Customer Data is deleted or returned as described in the Data Processing Addendum.

Personnel

Access to systems and data is limited to personnel who need it for their role and who are bound by confidentiality obligations.

Roadmap

The following are planned and not yet completed. We list them transparently so Customers can assess our maturity accurately:

  • SOC 2 Type II examination.
  • Independent third-party penetration testing on a recurring basis.
  • Formal, externally-audited security certifications.

We will update this policy as these items are completed.

Reporting a security concern

To report a vulnerability or security concern, contact us at info@birdseyeviews.com. We appreciate responsible, coordinated disclosure and will work with you to investigate and address valid reports.