Skip to content
Docs/Compliance

FTC Safeguards and your security program

Use the Compliance page to track your FTC Safeguards Rule program — Qualified Individual, risk assessments, employee training, and security incidents.

Who: All roles can view and record; the Qualified Individual is the named program ownerPlan: All plans

The Compliance page is your home for the FTC Safeguards Rule. It tracks the records an auditor expects to see: who your Qualified Individual is, your risk assessments, your team's security-awareness training, and any security incidents. The page header reads FTC Safeguards Compliance.

AutoDealer.io is software, not a law firm, and does not write your Information Security Program (ISP) for you. There is no ISP document editor or "publish" step here. This page helps you track and document the moving parts of that program — your Qualified Individual, risk assessments, training, and incidents. Writing the program itself, and confirming it with your own counsel, is up to you.

What's on the page

At the top you'll see four status cards:

  1. Qualified Individual — the person responsible for your security program. Shows their name, or Unassigned (in red) if none is set.
  2. Last risk assessment — the date of your most recent assessment, or Never. Turns orange when the next one is due within 30 days, red when it's overdue (or when you've never recorded one).
  3. Training records — how many training records you've logged.
  4. Open incidents — incidents that aren't resolved yet.

Below the cards are three sections you add records to: Risk assessments, Training records, and Incidents.

Your Qualified Individual

The Safeguards Rule requires you to name one person to oversee your security program.

When the account is created, the owner who signs up is automatically set as the Qualified Individual. The Compliance page shows who that is. There's no button on this page to set or reassign the Qualified Individual — if you need to change who holds the role, contact support.

The Qualified Individual should turn on multi-factor authentication. You'll find that under Settings → Security.

Record a risk assessment

The FTC expects a written risk assessment, reviewed at least annually.

  1. In the Risk assessments section, click Record assessment.
  2. Set Assessed on — the date you did the assessment.
  3. Write a Summary of what you reviewed and found.
  4. Optionally set Next due (optional) — the date your next assessment is due. The status card uses this to warn you before it lapses.
  5. Click Save.

The record is stamped with your name and shows up in the list. Set Next due so the dashboard turns the status card orange 30 days out and red once it's overdue.

Record employee training

Everyone with access to customer information needs security-awareness training. Log each completion here.

  1. In the Training records section, click Record training.
  2. Pick the Employee from the dropdown (your team members appear with their role).
  3. Enter the Training name — for example, "Annual security awareness 2026".
  4. Set Completed on.
  5. Optionally set an Expires (optional) date and add Notes (optional).
  6. Click Save.

Use the Expires date for training you renew yearly. A record turns orange when it expires within 30 days and red once it has expired — so you can see at a glance who needs to re-train.

Report and resolve an incident

Document any event that touched customer information or your systems.

  1. In the Incidents section, click Report incident.
  2. Enter a Title.
  3. Choose a Severity — Low, Medium, High, or Critical (it defaults to Medium).
  4. Write a Description of what happened.
  5. Set Occurred on.
  6. Click Save. The incident is created with status Open.

To move an incident along:

  1. While it's Open, click Start investigating to change its status to Investigating.
  2. Click Resolve to close it. You're prompted for optional resolution notes, then the incident is marked Resolved with today's date.

Resolving an incident is final. Once an incident is Resolved you can't reopen it or change its status — the action buttons disappear and the system rejects any further transition. Make sure it's truly closed before you resolve it.

Who can use this page

Any signed-in team member can open the Compliance page, view the status cards, and record assessments, training, and incidents. The Qualified Individual is the named owner of the program — that role is shown on the page but is set when the account is created, not edited here. The Compliance page is available on all plans.

Every action you take here — recording an assessment, logging training, reporting or resolving an incident — is written to your Audit log. That's a separate page (the Audit log link sits next to Compliance in the sidebar's Compliance section), and it records who did what and when — your paper trail for an exam.

What this page is not

  • It does not write your Information Security Program document, and it has no AI to draft one. There is no ISP draft, publish, or version-history feature.
  • It does not file anything with the FTC or any regulator.
  • It is not legal or compliance advice.
  • OFAC screening and the Red Flags identity check happen inside each deal's Compliance step, not here — this page is your dealership-wide Safeguards program records.

FAQ

Does AutoDealer.io create my written Information Security Program (ISP) for me?

No. The Compliance page tracks the components of your program — your Qualified Individual, risk assessments, training, and incidents — and keeps an audit trail. There's no ISP document editor or publish step. Writing the actual program, and confirming it meets the rules, is up to you and your counsel.

Who is my Qualified Individual, and how do I change it?

The owner who created the account is set as the Qualified Individual automatically. The Compliance page shows who it is. There's no button on the page to reassign it — contact support if you need it changed.

How often do I need a risk assessment?

The FTC expects a written assessment reviewed at least annually. Set a Next due date when you record one so the dashboard warns you 30 days before it's due and flags it red once it's overdue.

Who has to take security training?

Everyone on your team with access to customer information. Log a record for each person each time they complete training, and use the Expires date so you can see who's due to re-train.

Can I reopen an incident after resolving it?

No. Resolving an incident is final — there's no way to reopen it or change its status afterward, and the system rejects the attempt. Confirm it's fully handled before you click Resolve.

Where are the OFAC and Red Flags checks?

Those are part of the deal-closing workflow, not this page. You run OFAC sanctions screening and the Red Flags identity checklist inside each deal's Compliance step. This page covers your dealership-wide FTC Safeguards program.