# SOC 2 Type II compliance and what it means for your dealership

_Source: https://www.toma.com/blog/soc-2-type-ii-compliance-dealer-group-automotive-ai — by Chris_

> Toma's SOC 2 Type II compliance shows how we protect dealership and customer data with audited security controls.

## What SOC 2 Type II compliance actually means for dealership AI

When AI systems access dealership customer data (names, phone numbers, service histories, vehicle details) compliance becomes critical. Toma achieved Type II certification with zero exceptions following an independent audit.

SOC 2 is an independent audit framework by the American Institute of CPAs verifying that a company's security controls function as claimed. Type I audits assess controls at a single point in time, while Type II tests those controls over an extended period, confirming consistent operation throughout the year. Toma achieved Type II compliance with zero exceptions: no findings, no caveats, a clean report.

### What this means for dealership and automotive enterprises

Dealerships handle sensitive customer data: contact information, vehicle history, appointment schedules, warranty records, and financial details. Under frameworks like the Gramm-Leach-Bliley Act, dealerships bear responsibility for how third-party vendors handle this information.

For dealer groups operating across multiple locations, vendor security represents a significant risk management obligation. Enterprise procurement typically requires SOC 2 compliance before contract approval, and groups backed by private equity benefit from auditable vendor due diligence records. Not every AI vendor in automotive has one.

### How this layers with Toma's Safeguards

Toma built Safeguards (Transfer Triggers detecting frustration, Follow-up Alerts notifying teams, and Transfer Clawback preventing dead ends) to protect customer experience. SOC 2 Type II compliance protects the data behind those interactions, working together to establish vendor trustworthiness.

### What this means if you're evaluating AI for dealerships

Toma's SOC 2 Type II compliance report is available during vendor evaluations. For existing customers, operations remain unchanged; the report validates existing protections. Maintaining compliance requires ongoing audits that Toma commits to continuing transparently.
