Skip to main content

FTC Safeguards Compliance Information

FTC Safeguards: A Proactive Partnership

We've assembled this information as a proactive approach to providing our compliance information to our partners. This information is focused on the specific elements of the FTC ruling document 16 CFR § 314.4. Each paragraph and item from the rule document's section 314.4 is addressed below.

Questionnaire Answers

We have created a concise, downloadable questionnaire with our answers pre-filled in for you to make evidence gathering easier.  

16 CFR § 314.4


Qualified Individual

  • (a) A qualified individual responsible for overseeing, implementing, and enforcing our information security program has been designated. 

  • (a)(2) A senior member of Quality Assurance, Inc. is designated to be responsible for direction and oversight of the Qualified Individual.

  • (a)(3) Our qualified individual, via a third-party is required to maintain an information security program that protects Quality Assurance, Inc. in accordance to the requirements of 16 CFR 314.4
16 CFR § 314.4


Information Security Program

  • (b)(1) We base our security program on multiple factors, including a risk assessment, which identifies reasonably foreseeable internal and external risks.
    • (b)(1)(i, ii, iii) This assessment fulfills the criteria requirements outlined in this part.

  • (b)(2) Our security program necessitates a minimum frequency of an annual risk assessment meeting the criteria and requirements required in 16 CFR § 314.4 (b).
16 CFR § 314.4



  • (c)(1)(i, ii) Authorization and access controls are reviewed at regular intervals and during key events (partner dealership, employee, or contractor onboarding/offboarding) to ensure the appropriateness of access. Users responsible for their respective data domain (e.g.: a dealership and it's service customers) are also able to manage certain levels of access to their corresponding data at their leisure. Forms of authentication are in place at all facets involving data covered under 16 CFR 314 under our stewardship.  

  • (c)(2) Data, personnel, devices, systems and facilities are identified and managed pursuant to our risk assessment and secrity program.

  • (c)(3) Any customer data under our stewardship is encrypted both in-transit and at-rest with the following exception:
    • Partner dealerships may be utilizing unencrypted, legacy data transmission. Encrypted data transit is available for them to use at any time. We encourage any partners not utilizing secure data transfer (e.g.: FTPS) to upgrade their data transmission as soon as possible.

  • (c)(4) Our development practices are subject to the access controls aforementioned in this section. Any sensitive code or information is stored encrypted and behind access controls. Retention of customer data in source control or testing environments is prohibited by policy.

  • (c)(5) Access to information systems requires multi-factor authentication or compensating factors such as:
    • Private key authentication in conjunction with IP whitelisting.
    • x509 certificate authentication used in conjunction with a password.
    • "jailed" user accounts solely used for data transmission. 

  • (c)(6)(i, ii) Processes for securely disposing of customer data are followed as needed. As a core component of our business offerings in data analytics, we retain data unless asked to expunge it from our system, in which case the secure disposal processes is followed. The volume and nature of data retained is periodically reviewed for relevance, and disposed of as necessary.

  • (c)(7) We follow an adapted ITIL change management process that fits the needs of the business. Changes are documented and approved in a ticket system as a part of our security program to manage user access to data, or major software changes involving non-anonymized data. 

  •  (c)(8) User access of information systems and developed software products is logged and retained for a long duration. High level monitoring of information systems is performed to detect attacks against services. Automated measures such as account locking after failed attempts, and certain key user management activities (e.g.: password reset) which trigger notifications is also in place.

16 CFR § 314.4


Security Testing

  • (d)(1) We regularly perform security assessments to determine the effectiveness of the safeguards' keycontrols, systems, and procedures

  • (d)(2) Monitoring of multiple factors such as infrastructure, application, user and integrations is in place. Logs and metrics are reveiwed periodically, and instrumentation is in place to automatically notify on various security-centered criteria. System changes are managed through Infrastructure As Code (IaC), which we use to monitor drift. Code and dependencies are scanned for vulnerabilities and remediation occurs within a short SLA. System dependencies/software in scope for FTC Safeguards are patched within a very short SLA as well. 

    • (d)(2)(i) Penetration testing of our systems as a whole by is not performed annualy due to the financial impacts of such an engagement. We engage with our industry expert partners on a regular basis to penetration test new applications, or material changes to systems. 

    • (d)(2)(ii) Systematic scans of information systems in scope to identify security vulnerabilities is performed automatically at a frequent basis. Vulnerability assessments are a part of our Information Security Program review process. 
16 CFR § 314.4


Policies and Procedures for Personnel

  • (e)(1, 3) Personnel are required to periodically review security awareness training materials. Those materials cover general information security best-practices, and if applicable, focused on security risks identified by our risk assessments or Information Security Program. 

  • (e)(2, 4) Quality Assurance, Inc. engages with industry experts who are qualified to contribute to our security posture and our Security Information Program. These expert providers are consistently engaged in maintaining knowledge of the changing information security landscape, technologies and security threats. 
16 CFR § 314.4


Service Provider Oversight

  • (f)(1, 2) Service providers are chosen carefully to ensure they have the capability to maintain safeguards as required by FTC Safeguards. Maintaining appropriate controls is required by contract to protect customer information as required by FTC Safeguards. 
  • (f)(3) Our service providers are evaluated regularly to ensure appropriate safeguards and best-practices are employed to protect customer information as required by FTC Safeguards. 
16 CFR § 314.4


Information Security Program Updates

  • (g)(1) Quality Assurance, Inc. uses multiple factors to drive our Information Security Program, including our regular risk assessment and systems monitoring review. These factors are used to evaluate and adjust our Information Security Program.
16 CFR § 314.4


Incident Response Program

  • (h)(1, 2, 3, 4) We have developed an incident response plan which defines internal processes, roles and responsibilities, as well as a communication strategy. This is reviewed regularly along with our Information Security Program and risk assessments.

  • (h)(5) Our Information Security Program addresses the identification and remediation of any identified risks in systems and controls.

  • (h)(6, 7) The incident response plan is reviewed regularly along with our Information Security Program and risk assessments. The plan also includes documentation criteria for security events.
16 CFR § 314.4



  • (i)(1, 2) Our Information Security Program includes a regular risk assessment report. The report also contains higher level concerns with regard to compliance, risk management, security events and general recommendations for progressing the Information Security Program. This information is prepared by our Qualified Individual and reviewed with senior leadership.