Security & Compliance Report

Vision Dealer Solutions Security Report by DrataVisionMenu, Inc — Powered by DrataSecurity & Compliance ReportLast Updated: October 16, 2025

Report Summary

Drata tests Vision Dealer Solutions’s security and IT infrastructure daily to ensure the company maintains a strong security posture, as defined by industry-standard security standards.

In this report, Vision Dealer Solutions:

• Tests a complete set of security and infrastructure controls that may appear in an audit.

• Identifies gaps and vulnerabilities in infrastructure and processes.

• Identifies issues critical for remediation.

• Helps customers understand the company’s security posture.

This document is updated continuously. As Vision Dealer Solutions improves its security posture, those efforts will be instantly visible.

Intended Use

This Vision Dealer Solutions Report can be used by customers and prospects to understand how Vision Dealer Solutions manages security and compliance.

Drata’s Approach of Continuous Monitoring

Drata continuously monitors the company’s policies, procedures, and IT infrastructure to ensure the company adheres to industry standards.

To do this, Drata connects directly to the company’s infrastructure accounts, version control and developer tools, task trackers, endpoints, hosts, HR tools, and internal policies. Drata then continuously monitors these resources to determine if the company meets defined framework standards.

Data and Privacy

Customer Data Policies (2 Controls)Vision Dealer Solutions management has approved all policies that detail how customer data may be made accessible and should be handled. These policies are accessible to all employees and contractors.

Continuously Monitored via 2 Drata Tests:

• Policies Cover Employee Access.

• Policies Cover Employee Confidentiality.

Least-Privileged Policy for Customer Data AccessVision Dealer Solutions authorizes access to information resources, including data and systems, based on the principle of least privilege.

Internal Admin Tool (1 Control)

Require Encryption of Web-Based Admin AccessVision Dealer Solutions uses encryption to protect user authentication and admin sessions of the internal admin tool transmitted over the Internet.

Continuously Monitored via 1 Drata Test:

• SSL/TLS on Admin Page of Infrastructure Console.

Internal Security Procedures

Software Development Life Cycle (5 Controls)

• Critical Change Management: Designated members validate, change, and release critical security patches outside of standard change management when necessary.

• Version Control System: Used for source code, documentation, and release management. Access requires admin approval.

  • Continuously Monitored: Version control use, authorization, and change approvals.

• Code Review Process: All code changes are reviewed and tested by someone other than the author.

• Production Code Changes Restricted: Only authorized personnel can push or modify production code.

• Separate Testing and Production Environments: Used for application development.

Responsible Disclosure Policy (2 Controls)

• Employee Disclosure Process: Employees can report security, confidentiality, or availability incidents.

• Disclosure Process for Customers: External users can report concerns through support documentation and contact information.

Access Control (3 Controls)

• System Access Control Policy: Requires annual access reviews and request forms for new hires or transfers.

• Annual Access Control Review: Conducted annually.

• Baseline Configuration & Hardening Standards: Security configuration standards are reviewed and verified regularly.

Vulnerability Management (11 Controls)

Includes:

• Network segmentation and diagram maintenance.

• Annual risk assessments.

• Quarterly vulnerability scans.

• Annual penetration tests.

• Organizational chart and role structure maintenance.

• Asset inventory, architectural diagram documentation, and remediation planning.

Security Issues (3 Controls)

• Continuous control monitoring with Drata.

• SLA enforcement for security bugs.

• Security issues prioritized by severity.

Business Continuity (4 Controls)

• Documented disaster recovery plan.

• Annual BCP/DR testing.

• Multiple availability zones for redundancy.

• Defined Business Continuity Plan for operational recovery.

Incident Response Plan (4 Controls)

• Tracked follow-ups and incident documentation.

• Dedicated incident response team.

• “Lessons Learned” review and analysis.

• Annual testing of the incident response process.

Organizational Security

Security Policies (3 Controls)

• Policies accessible to all employees and contractors.

• Annual acknowledgment and review.

Software Development Life Cycle PolicyDocumented SDLC with approvals, validations, and tracking.

Security Program (3 Controls)

• Assigned security team/steering committee.

• Annual employee training and awareness.

• Timely internal communication of incidents.

Personnel Security (10 Controls)

• Termination/offboarding checklist.

• Acceptable Use Policy (acknowledged on hire).

• Background checks for employees and contractors.

• Code of Conduct acknowledgment.

• Data Protection Policy acknowledgment.

• Defined roles and performance evaluations.

• Formal recruiting process with detailed job descriptions.

Endpoints / Laptops (5 Controls)

• Password manager required and installed.

• Hard-disk encryption.

• Session lock within 15 minutes.

• Antivirus software installed.

• Security patches auto-applied.

Product Security

Data Encryption (3 Controls)

• Encryption in transit (HTTPS enforced, valid SSL/TLS).

• Cryptography policies in place.

• Encryption at rest for cloud-stored data.

Vendor Management (3 Controls)

• Vendor management policy.

• Directory of vendor agreements.

• Annual review of compliance reports.

Software Application Security (6 Controls)

• SSO or password authentication; MFA required for employees.

• Role-based access.

• Customer data segregation.

• Secure password storage with salted hashes.

• Acceptance of Terms of Service.

• Auto logout on inactivity.

Customer Communication (3 Controls)

• Security commitments defined in Master Service Agreements.

• Publicly available Privacy Policy.

• Publicly available Terms of Service.

Infrastructure Security

• MFA on all systems.

• Password policy enforcement.

• Unique employee accounts.

• Immediate access removal upon termination.

• SSH and remote admin ports restricted.

Availability & Storage

• Customers informed of relevant system changes.

• Cloud storage configured to restrict public access.

Backup (3 Controls)

• Daily automated database backups.

• Documented backup policy (frequency and retention).

• Versioned and retained data storage.

Logging & Monitoring

• Centralized log storage and management with alerts.

• Continuous monitoring of databases, servers, and NoSQL clusters.

Network Security (8 Controls)

• System monitoring and automated alerts.

• VPN access required for production.

• Firewalls and intrusion detection.

• Infrastructure linked to Drata for oversight.

Protecting Secrets (2 Controls)

• Managed credential keys and encryption policies.

Physical Security (1 Control)

• Physical security policies for facility access.

Availability Scaling (3 Controls)

• Quarterly capacity and usage monitoring.

• Load balancer implementation.

• Auto-scaling server provisioning.

Backups (3 Controls)

• Backups encrypted and separated from production systems.

• Backup monitoring and alerts.

• Annual integrity and completeness tests.

Confidentiality (4 Controls)

• Data retention policy.

• Data classification policy.

• Use of test data in test environments.

• Customer data deletion within 30 days of termination.

Additional Controls (19 Controls)

Includes: annual incident response testing, automated updates, DLP software, FIM software, fraud risk assessments, cybersecurity insurance, production release approvals, removable media encryption, management oversight, and secure runtime configurations.

Appendix A: Definitions

Key definitions include DDoS, MFA, Penetration Test, Principle of Least Privilege, SDLC, SSH, and SSL.

Appendix B: Document History

Drata performs continuous, automated monitoring of Vision Dealer Solutions’s security controls. This report is automatically updated to reflect the latest findings.

About Drata

Drata provides a product suite designed to continuously monitor and collect evidence of hundreds of security controls across company IT systems and processes. Its platform connects with infrastructure, identity providers, developer tools, HRIS, and more to provide a comprehensive view of compliance posture while automating manual workflows.

Learn more at drata.com