Built for the way dealers actually get audited.
F&I is regulated. Lending is regulated. The way an AI model produces a recommendation is increasingly regulated. We design for all three from day one, not as a slide deck, as a paper trail.
- GLBAAligned
Gramm-Leach-Bliley Act
Privacy and Safeguards Rules
Customer NPI is encrypted at rest and in transit. Access is least-privilege, MFA-gated, and fully audited. Annual risk assessment and IR plan on file.
- ECOA / Reg BDesigned in
Equal Credit Opportunity Act
Fair lending non-discrimination
Models are evaluated for disparate impact across protected classes before deploy. Adverse-action reasoning is captured and surfaced in the deal jacket. Human-in-the-loop is mandatory for any decisioning step.
- TILA / Reg ZAligned
Truth in Lending Act
Disclosure and advertising rules
All consumer-facing payment displays comply with Reg Z disclosure requirements. CarOne's content templates are reviewed by counsel before deploy and versioned for audit.
- FTC SafeguardsDesigned for
FTC Safeguards Rule
Information security program
Written information security program, vendor diligence, incident response, and staff training. SOC 2 attestation is on the roadmap, not yet in place.
- Red FlagsSupports dealer program
FTC Red Flags Rule
Identity-theft prevention
We do not own the dealer's red-flag program, but our identity-verification signals integrate with it. Suspicious patterns are surfaced for human review, never auto-resolved.
- CCPA / CPRACompliant
California Consumer Privacy Act
Consumer privacy rights
Right-to-know, right-to-delete, and right-to-opt-out are honored within 30 days. We do not sell consumer data. We do not use customer NPI to train models other customers see.
- GDPRCompliant
EU General Data Protection Regulation
Cross-border transfers
We sign DPAs with Standard Contractual Clauses for any EU-resident data we touch. Lawful basis is documented per processing activity. EU subject-rights requests honored within 30 days.
- State dealer rulesConfigurable per rooftop
State motor-vehicle dealer regs
F&I, advertising, doc fees
Doc-fee caps, advertising-disclosure templates, and F&I product approval checklists are configured per rooftop and per state at onboarding. Updates push automatically.
How we keep autonomous systems on the right side of the line.
Decisioning is recommendation, not action.
Anything with consumer-protection or fair-lending exposure surfaces as a recommendation. A named human at the dealership has to take the action, and we record who, when, and which version of the model.
Models are evaluated before they ship.
We run pre-deploy fairness evaluations across protected-class proxies (zip clusters, name distribution) and flag any disparate-impact signal above threshold. No fairness signal, no deploy.
Outputs are versioned and replayable.
For any decision recorded in a deal jacket, we can reproduce the exact model version, prompt, and inputs that produced it. Audit trails are first-class, not a slide.
Foundation-model providers are contractually fenced.
Our underlying model providers are under written agreement: customer NPI is never used to train their models. Period. Not opt-out, contractually prohibited.
Email compliance@dashai.ai, we respond within one business day.
- Request →
Compliance one-pager
PDF, single page, dealer-facing
- Request →
Data Processing Addendum (DPA)
GDPR and CCPA-aligned
- Request →
Subprocessor list
With change-notification subscription
- Request →
Fair-lending evaluation report
Methodology and recent results
- Request →
State-rules matrix
Per state, per rooftop type
- Request →
AI governance summary
Model lifecycle, eval, change control
Program ownership and outside-counsel relationships are being formalized. Email compliance@dashai.ai for the current point of contact.
Need a specific document for your audit?
Email compliance@dashai.ai with the requirement and your deadline. We turn around within one business day.