Skip to main content
Compliance Posture

Security built for cyber underwriters, the FTC, and the DoD supply chain.

Flynaut's platform and managed services are engineered against CMMC Level 2 and NIST SP 800-171 Rev. 3 - the same baselines used by the Department of Defense for Controlled Unclassified Information (CUI). Every dealer and advisor inherits this posture automatically.

CMMC L2 mapped NIST 800-171 FTC Safeguards Rule §314.4 SOC 2-ready TLS 1.3 / AES-256

Five compliance pillars

Mapped directly to the controls your carrier, the FTC, and a DoD auditor will ask about.

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Customer data segregated by tenant. Keys rotated quarterly via managed KMS.

Strong authentication

Mandatory TOTP-based MFA for admins. Optional (and nudged) for all other roles. Password hashing via bcrypt with adaptive cost.

Audit logging

Every privileged action - RBAC change, content edit, file upload, integration toggle - is logged with actor, IP, user-agent, and timestamp. 90-day hot retention.

Least-privilege RBAC

Granular custom roles. Maker/checker workflow for sensitive changes. Super-admin actions require 2FA + email approval.

Hardened infrastructure

Container isolation, WAF, DDoS mitigation, automatic security patches, and segmented database access.

Incident response

24/7 monitoring, defined IR runbook mapped to NIST IR family, breach notification SLA aligned to state + carrier requirements.

NIST SP 800-171 Control Coverage

14 control families. 110 individual controls. Mapped, implemented, and continuously assessed.

3.1 · AC
Access Control
22 controls
Implemented
3.2 · AT
Awareness & Training
3 controls
Implemented
3.3 · AU
Audit & Accountability
9 controls
Implemented
3.4 · CM
Configuration Management
9 controls
Implemented
3.5 · IA
Identification & Authentication
11 controls
Implemented
3.6 · IR
Incident Response
3 controls
Implemented
3.7 · MA
Maintenance
6 controls
Implemented
3.8 · MP
Media Protection
9 controls
Implemented
3.9 · PS
Personnel Security
2 controls
Implemented
3.10 · PE
Physical Protection
6 controls
Implemented
3.11 · RA
Risk Assessment
3 controls
Implemented
3.12 · CA
Security Assessment
4 controls
Implemented
3.13 · SC
System & Communications Protection
16 controls
Implemented
3.14 · SI
System & Information Integrity
7 controls
Implemented

Detailed SSP (System Security Plan) available under NDA for enterprise buyers and auditors. Request access →

Data handling at a glance

What we collect

  • Dealership identity (name, contact, devices, rooftops)
  • Assessment responses + scoring metadata
  • Documents uploaded by your Flynaut team to your private drive
  • Standard web telemetry (no fingerprinting, no third-party trackers on portal pages)

Where it lives

  • US-hosted production database (replicated, encrypted)
  • Files stored in S3-compatible object storage with per-tenant prefixes
  • Email delivery via Resend (TLS-only, SPF/DKIM/DMARC aligned)
  • Backups retained 30 days, encrypted, and access-logged

Who can see it

  • Only your Flynaut team is authorized to view your dealership's data
  • Carriers receive only the redacted attestations you approve
  • Sub-processors limited to infrastructure providers under DPA
  • RBAC enforced at every API boundary

Your rights

  • Export all data on request within 30 days
  • Deletion on request (subject to legal/audit retention)
  • Detailed access logs available to your designated owner
  • Privacy disclosures: see our Privacy Notice

Need our SOC 2 letter or NIST SSP?

Enterprise buyers and auditors can request our full security questionnaire response, including evidence appendices.

Request the security pack →