At Driveway, we take security and compliance seriously. Below, you'll find a list of common security-related questions and information about the steps we take to ensure our customers' data is always handled safely.

The Driveway SDK does not have access to user data or any customer information.

Its only purpose is enabling your users to view the interactive walkthrough version of your public Driveway guides without having to download the Driveway Chrome extension.

Driveway's Chrome extension can be used to create and view Driveway guides. The extension requires access to the following data when downloaded from the Chrome Web Store to create guides:

Driveway allows users to redact PII from the screenshots in the guides they create. Once redacted, the original screenshots are deleted from Driveway's database and cannot be recovered.

We require access to first name, last name, and email address for a user to use Driveway.

All data is encrypted at rest with AES-256, block-level storage encryption, and in transit with TLS certificates.

Data is stored and processed in the US. At this time, we are unable to support data storage and processing at a specifically-requested region.

Driveway leverages Heroku for its infrastructure and managed firewall, DDoS mitigation, Spoofing protection, and port scanning services for Driveway’s infrastructure. A variety of additional considerations are in place for data protection, physical, and environmental security. More information can be found here.

In the event that you would like your account deleted, we will permanently delete your account and content within 30 days, unless we need to retain any information to comply with our legal obligations, resolve disputes, or enforce our agreements.

Data is permanently deleted from our database and its backup instances on request, and according to our retention schedule.

We require users to authenticate via Google Auth or their own username and password in order to access the Driveway web application. Our Chrome extension can be installed but guides created cannot be saved without a user authenticating.

Yes, we have procedures in place for data portability (export provided on request), data deletion (at the production and snapshot-database level), and consent management.

Driveway is SOC 2 Type II certified and SOC 3 certified. You can get our SOC 2 Type II report by emailing us at hello@driveway.app. You can view our public SOC 3 report here.

Driveway requires all vendors and contractors to sign a BAA and complete mandatory HIPAA training. All employees complete mandatory HIPAA training as well, with quarterly reviews

Our production database is automatically and continuously backed up over the previous 4 days, and can be recovered to a specific point in time over that period in the event of a catastrophic incident. This allows us to mitigate the risk associated with an accidental data deletion or data overwrite. Since we leverage Heroku to host our production database, this achieved through physical backups that persist incremental snapshots of the file system and WAL files to an encrypted S3 bucket in the US region.

We run these tests annually. Our last test of backup and restore procedure was January 2023.

We leverage a Postgres database and Redis instance to process data. These are both managed services, provisioned by Heroku.

Data is transferred via HTTPS.

Passwords are rejected if they are less than 8 characters, entirely numeric, or appear on a list of 20,000 common passwords.

Currently all users are granted the same level of access and permissions within the Driveway web app. We will introduce an additional license tier as part of our paid offering to differentiate users that have access to certain premium features in 2023.