Security & Compliance

Built for the dealers who can’t afford a breach.

Six layers. One brain. Zero shared-bucket call recordings.

CDK Global went down for three weeks in June 2024 and took half the American dealer body with them. Gladius BDC is engineered so the same playbook doesn’t work twice — and SMS PII, call recordings, and Twilio webhooks each get their own dedicated isolation layer on top.

Book a Security ReviewRead the Architecture ↓
AWAIS IQ 145·261 attack patterns catalogued·0 customer breaches

Six layers of defense

Stack the layers. Break one, the next holds.

Each layer is implemented in our own code, audited at every PR, and instrumented with cron health checks. No third-party security-theatre dependencies.

01

Encryption at rest

Customer PII columns (names, phones, emails, addresses) are AES-GCM encrypted at the application layer before Postgres ever sees them. Keys rotate via envelope encryption. Phone-E.164 hash keeps Twilio inbound matching even after plaintext drop.

02

Call recordings + transcripts

Twilio call recordings and AI transcripts live in tenant-scoped storage with signed-URL access and 30-day default retention (configurable). Recording consent is enforced upstream by the TCPA gate — no recording without an explicit, logged consent record.

03

Signed Twilio webhooks

Every inbound SMS/voice webhook is validated against the X-Twilio-Signature header before message-router runs. Replay protection via nonce window. No raw webhook endpoint is reachable without a verified Twilio signature.

04

Homegrown TOTP MFA

RFC 6238 implementation. AES-GCM wrapped secrets, bcrypt-hashed backup codes, 5-minute pending-MFA cookie for the challenge flow. Dealers force-enrol every BDC seat via mfaRequiredByDealer.

05

AWAIS application-layer defense

66 diagnostic rules, 53 error signatures, 261 root causes, IQ 145 self-grading engine. Sentinel Mesh federates findings across all 5 verticals in under 30 seconds — a Stone attack tomorrow hardens BDC tonight.

06

Multi-tenant isolation

Every row carries a dealerId FK. Enforced in tRPC middleware before any handler runs. Cross-dealer queries throw at the model layer. Single-tenant Postgres available on Enterprise — no shared-row leakage path even on a compromised handler.

The AI watchdog

AWAIS — the category we created

Autonomous Web Application Intelligence System. Embedded inside the BDC — not bolted on like a WAF. Learns attacker playbooks, plants deception, evolves its own rules, and watches all five Gladius verticals through one brain.

  • $0 inference cost · pure-math algorithms
  • 66 rules · 53 signatures · 261 root causes · IQ 145
  • Sentinel Mesh — federation events propagate across 5 verticals in <30s
Watch the mesh live →

What we’re certified for

Honest about the box-checks. No marketing gloss.

We publish where we’re compliant, where we’re in progress, and where the framework doesn’t apply. If you’re an auditor, your evidence packet is ready.

TCPA — Telephone Consumer Protection Act

Compliant

Every outbound SMS passes the TCPA gate (consent + DNC + quiet hours). Every consent grant is logged with timestamp, source, and method. STOP/UNSUBSCRIBE auto-honored across all conversations for the dealer.

FTC Safeguards Rule

Compliant

Column-level PII encryption, access controls, MFA on every account, encryption-in-transit (TLS 1.3 + HSTS preload), incident response plan, vendor risk management.

10DLC + A2P registration

Compliant

Brand + campaign registered on the dealer's behalf. SHAKEN/STIR caller-ID attestation. We absorb 10DLC registration fees — no per-message upcharge on the dealer.

GLBA — applies to dealer F&I

Compliant

Customer NPI is encrypted in flight and at rest; access is tenant-scoped and audited. Privacy notice surfaced to consumers via /privacy.

SOC 2 Type II

In progress

Trust services criteria mapped to controls. Continuous evidence collection in place. Auditor engagement targeted Q4 2026. Report available under NDA on request.

PCI-DSS

By design

Card data never touches our servers. Stripe Elements hosts the form; we receive only a tokenized reference. Out-of-scope for the full PCI envelope.

Request architecture

Every request, six checkpoints deep.

A Twilio webhook or operator request has to clear all six before it touches a database row. Each checkpoint is its own audit log.

01

Inbound SMS / call

Twilio webhook arrives at Vercel Edge. TLS 1.3, HSTS preload, COOP, CORP. Strict CSP rejects unknown script origins.

02

AWAIS gate

Every request screened by Defense — bot scoring, fingerprint, behavioral z-score, deception traps. Hostile traffic gets a doppler response, never the real route.

03

Twilio signature verify

X-Twilio-Signature validated against the dealer's webhook secret. Replay window enforced. No body trusted until the signature clears.

04

TCPA gate + crisis rails

Consent verified, DNC checked, quiet hours enforced. Crisis safety rails bypass the AI for sensitive language. Every decision is logged.

05

tRPC middleware (tenant gate)

Session decoded, dealerId resolved, MFA verified. Every router input passes Zod validation. dealerId FK auto-stamped on every Prisma write.

06

Postgres (Supabase)

Encrypted at rest. RLS policies as defense-in-depth. Single-tenant Postgres available on Enterprise. Backups encrypted with separate KMS keys.

vs. the legacy AI-BDC vendors

The same vendors that ship call recordings to shared buckets.

Most AI-BDC stacks bolt onto Twilio and treat security as a perimeter problem. Gladius treats every webhook, every recording, every PII column as a tenant boundary.

PII column-level encryption

AES-GCM in every PII column

Row-level disk encryption only

Twilio webhook authenticity

Signature-verified per request + replay window

Trust the URL, hope nobody guesses

Call recording retention

Tenant-scoped, signed URLs, dealer-controlled TTL

Shared S3 bucket, indefinite retention

MFA enforcement

Dealer-wide force-enrol switch

Optional, opt-in per seat

Application-layer threat detection

AWAIS — embedded, self-learning, mesh-federated

Perimeter WAF only

Breach disclosure SLA

72 hours, written, in contract

Silence until press inquiry (see CDK June 2024)

“Typical AI-BDC vendor” reflects publicly documented architecture from major incumbents (Matador, Podium, DriveCentric, Impel) as of 2026. Where individual vendors have improved, we’ll happily update — send a pointer to security@gladiusbdc.com.

Our pledges

Written down. In the contract.

These are not aspirations — they live in our MSA and they hold in court.

  • 01We will disclose any confirmed security incident affecting customer data within 72 hours of confirmation, in writing, to every affected dealer principal. This commitment lives in our MSA.
  • 02We will never sell, share, or syndicate dealer data — leads, calls, transcripts, or recordings — to a third party for marketing, lead resale, or model training. Dealer data is dealer property.
  • 03We will never run unannounced production data exports for analytics. Cross-tenant analytics use anonymized aggregates with k-anonymity enforced.
  • 04Researchers who report a vulnerability in good faith will not face legal action. We pay bug bounties out of pocket — see below.

Responsible disclosure

Found a vulnerability? We’ll pay you and thank you.

Email security@gladiusbdc.com with a description, reproduction steps, and the impact you believe it has. We acknowledge within 24 hours, fix high-severity issues within 7 days, and pay a bounty from $250 for low-impact findings up to $10,000 for critical pre-auth RCE / multi-tenant data crossing / Twilio webhook bypass. No legal action against good-faith researchers — that’s our pledge.

Email

security@gladiusbdc.com

Ack SLA

24 hours

Bounty range

$250 – $10,000

Gladius Technologies LLC · Tampa, FL · 2026 · Sales 813-442-0253

// ONE ROOFTOP PER REGION · FOUNDER CELL 813-442-0253

[ REQUEST A DEMO ]