Security built for cyber underwriters, the FTC, and the DoD supply chain.
Flynaut's platform and managed services are engineered against CMMC Level 2 and NIST SP 800-171 Rev. 3 - the same baselines used by the Department of Defense for Controlled Unclassified Information (CUI). Every dealer and advisor inherits this posture automatically.
Five compliance pillars
Mapped directly to the controls your carrier, the FTC, and a DoD auditor will ask about.
TLS 1.3 in transit, AES-256 at rest. Customer data segregated by tenant. Keys rotated quarterly via managed KMS.
Mandatory TOTP-based MFA for admins. Optional (and nudged) for all other roles. Password hashing via bcrypt with adaptive cost.
Every privileged action - RBAC change, content edit, file upload, integration toggle - is logged with actor, IP, user-agent, and timestamp. 90-day hot retention.
Granular custom roles. Maker/checker workflow for sensitive changes. Super-admin actions require 2FA + email approval.
Container isolation, WAF, DDoS mitigation, automatic security patches, and segmented database access.
24/7 monitoring, defined IR runbook mapped to NIST IR family, breach notification SLA aligned to state + carrier requirements.
NIST SP 800-171 Control Coverage
14 control families. 110 individual controls. Mapped, implemented, and continuously assessed.
Detailed SSP (System Security Plan) available under NDA for enterprise buyers and auditors. Request access →
Data handling at a glance
What we collect
- Dealership identity (name, contact, devices, rooftops)
- Assessment responses + scoring metadata
- Documents uploaded by your Flynaut team to your private drive
- Standard web telemetry (no fingerprinting, no third-party trackers on portal pages)
Where it lives
- US-hosted production database (replicated, encrypted)
- Files stored in S3-compatible object storage with per-tenant prefixes
- Email delivery via Resend (TLS-only, SPF/DKIM/DMARC aligned)
- Backups retained 30 days, encrypted, and access-logged
Who can see it
- Only your Flynaut team is authorized to view your dealership's data
- Carriers receive only the redacted attestations you approve
- Sub-processors limited to infrastructure providers under DPA
- RBAC enforced at every API boundary
Your rights
- Export all data on request within 30 days
- Deletion on request (subject to legal/audit retention)
- Detailed access logs available to your designated owner
- Privacy disclosures: see our Privacy Notice
Need our SOC 2 letter or NIST SSP?
Enterprise buyers and auditors can request our full security questionnaire response, including evidence appendices.