Security & Compliance

Built for the dealers who can’t afford a breach.

Five layers. One brain. Zero ad-network surveillance.

CDK Global went down for three weeks in June 2024 and took half the American dealer body with them. Gladius is engineered so the same playbook doesn’t work twice.

Read the Architecture ↓

AWAIS IQ 145·261 attack patterns catalogued·0 customer breaches

Five layers of defense

Stack the layers. Break one, the next holds.

Each layer is implemented in our own code, audited at every PR, and instrumented with cron health checks. No third-party security-theatre dependencies.

Encryption at rest

PII columns (names, phones, emails, addresses, SSN-tails) are AES-GCM encrypted at the application layer before Postgres ever sees them. Keys rotate via envelope encryption. Plaintext drop pending; phone-E.164 hash lets webhooks still match.

Homegrown TOTP MFA

RFC 6238 implementation. AES-GCM wrapped secrets, bcrypt-hashed backup codes, 5-minute pending-MFA cookie for the challenge flow. Dealers can force-enrol every seat via mfaRequiredByDealer.

AWAIS application-layer defense

66 diagnostic rules, 53 error signatures, 261 root causes, IQ 145 self-grading engine. Genetic rule evolution. Active deception inside the app. Watches every endpoint across all 5 verticals in real time.

Multi-tenant isolation

Every row carries a dealerId FK. Enforced in tRPC middleware before any handler runs. Single-tenant Postgres database per dealer available on Enterprise. No shared-row leakage path even on a compromised handler.

Audit trail (soft-delete only)

Leads, customers, and deals are never hard-deleted — only flagged via deletedAt. Every state change writes a LeadActivity row. 27 crons are instrumented through cron_runs for retroactive forensics.

The AI watchdog

AWAIS — the category we created

Autonomous Web Application Intelligence System. Embedded inside the app — not bolted on like a WAF. Learns attacker playbooks, plants deception, evolves its own rules, and watches all five Gladius verticals through one brain.

$0 inference cost · pure-math algorithms
66 rules · 53 signatures · 261 root causes · IQ 145
Sentinel Mesh — federation events propagate across 5 verticals in <30s

Read the AWAIS architecture →

$ awais --status --verbose

iq_score ........ 145

rules_active .... 66 / 66

signatures ...... 53 / 53

patterns ........ 261 / 261

verticals ....... 5 (mesh OK)

mesh_lag ........ 11s (p95)

ready. watching all surfaces.

What we’re certified for

Honest about the box-checks. No marketing gloss.

We publish where we’re compliant, where we’re in progress, and where the framework doesn’t apply. If you’re an auditor, your evidence packet is ready.

FTC Safeguards Rule

Compliant

Column-level PII encryption, access controls, MFA on every account, encryption-in-transit (TLS 1.3 + HSTS preload), incident response plan, vendor risk management.

GLBA — applies to dealer F&I

Compliant

Customer NPI is encrypted in flight and at rest; access is tenant-scoped and audited. Privacy notice surfaced to consumers via /privacy.

SOC 2 Type II

In progress

Trust services criteria mapped to controls. Continuous evidence collection in place. Auditor engagement targeted Q4 2026. We will publish the report under NDA on request.

PCI-DSS

By design

Card data never touches our servers. Stripe Elements hosts the form; we receive only a tokenized reference. Out-of-scope for the full PCI envelope.

Request architecture

Every request, six checkpoints deep.

A request from a dealer’s laptop has to clear all six before it touches a database row. Each checkpoint is its own audit log.

Request

Browser → Vercel Edge / CDN. TLS 1.3, HSTS preload, COOP, CORP. Strict CSP rejects unknown script origins.

AWAIS gate

Every request screened by Defense — bot scoring, fingerprint, behavioral z-score, deception traps. Hostile traffic gets a doppler response, never the real route.

Next.js Edge / Node runtime

Stateless HMAC-signed JWT-style session in an httpOnly + Secure + SameSite=Lax cookie. No 3rd-party auth dependency since 2026-05-27.

tRPC middleware (tenant gate)

Session decoded, dealerId resolved, MFA verified. Every router input passes Zod validation. dealerId FK auto-stamped on every Prisma write.

Prisma ORM

Parameterized queries only — no string-concat SQL anywhere in the surface. dealerId required on every read; cross-tenant queries throw at the model layer.

Postgres (Supabase)

Encrypted at rest. RLS policies as defense-in-depth. Single-tenant Postgres available on Enterprise. Backups encrypted with separate KMS keys.

  browser ──► CDN/WAF ──► AWAIS ──► Next.js Edge ──► tRPC mw ──► Prisma ──► Postgres
                  │           │           │              │            │         │
                TLS 1.3    pattern        session     dealerId      param      AES at
                HSTS       + decoy        verify      gate          queries    rest

vs. the legacy CRM vendors

The same incumbents that already lost dealer data in 2024.

When CDK Global went dark in June 2024, the entire industry learned how brittle the incumbents’ security model is. Here’s how Gladius is engineered differently.

Control

Gladius

Typical legacy CRM

PII column-level encryption

AES-GCM in every PII column

Row-level disk encryption only

MFA enforcement

Dealer-wide force-enrol switch

Optional, opt-in per seat

Application-layer threat detection

AWAIS — embedded, self-learning

Perimeter WAF only

Multi-tenant isolation

tRPC middleware + Enterprise single-DB option

Shared row, app-level filter only

Breach disclosure SLA

72 hours, written, in contract

Silence until press inquiry (see CDK June 2024)

Soft-delete + audit trail

Every row, every state change

Hard deletes overwrite history

“Typical legacy CRM” column reflects publicly documented architecture from major incumbents (Reynolds & Reynolds, CDK Global, DealerSocket, VinSolutions) as of the CDK Global incident, June 2024. Where individual vendors have since improved, we’ll happily update — send a pointer to security@gladiuscrm.com.

Our pledges

Written down. In the contract.

These are not aspirations — they live in our MSA and they hold in court.

01We will disclose any confirmed security incident affecting customer data within 72 hours of confirmation, in writing, to every affected dealer principal. This commitment lives in our MSA.
02We will never sell, share, or syndicate dealer data to a third party for marketing, lead resale, or model training. Dealer data is dealer property.
03We will never run unannounced production data exports for analytics. All cross-tenant analytics use anonymized aggregates with k-anonymity enforced.
04Researchers who report a vulnerability in good faith will not face legal action. We pay bug bounties out of pocket — see below.

Responsible disclosure

Found a vulnerability? We’ll pay you and thank you.

Email security@gladiuscrm.com with a description, reproduction steps, and the impact you believe it has. We acknowledge within 24 hours, fix high-severity issues within 7 days, and pay a bounty from $250 for low-impact findings up to $10,000 for critical pre-auth RCE / multi-tenant data crossing. No legal action against good-faith researchers — that’s our pledge.

security@gladiuscrm.com

Ack SLA

24 hours

Bounty range

$250 – $10,000

Gladius Technologies LLC · Tampa, FL · 2026