MECHDESK // COMPLIANCE
MechDesk compliance
For auto repair shop operators. What we ship, what is available on request, and what we explicitly do not claim.
MechDesk is an auto-repair shop estimate / job / messaging product. There is no HIPAA scope. Compliance focus is consumer-protection (estimate+approval flow, parts-warranty disclosure) and data privacy.
Scope of data
What this product processes when you operate it as intended:
- Customer name, vehicle (VIN, plate, mileage)
- Estimate line-items, approvals, and revisions
- Photos / videos of repairs
- Messaging and reminders
Consumer-protection workflow
Most US states require written authorization before exceeding an estimate by a defined %. MechDesk encodes this into the estimate flow.
- Estimate revisions require explicit customer re-approval (timestamped).
- Parts-warranty disclosure pinned to invoice PDF.
- Magnuson-Moss Warranty Act compliant boilerplate available as an included clause.
Access control
Workspace isolation, MFA, and password-reset hygiene apply across all tiers.
- Workspace data scoped by row-level checks; admin operations require an MFA-backed session.
- Engineering production access is hardware-key MFA, ticketed, and logged.
- Account password reset round-trips email + invalidates all prior sessions.
Transport + monitoring
What every customer gets, every product, by default.
- TLS 1.2+ everywhere, HSTS preload-eligible (`max-age=31536000; includeSubDomains; preload`).
- Edge rate-limiting on auth, intake, quote, onboarding, and global write-quotas (caddy-ratelimit).
- Synthetic monitor every 5 minutes; two-strike paging on Telegram + SMS.
PCI-DSS (SAQ-A scope)
Because card data is fully outsourced to Stripe-hosted forms, we are scoped under SAQ-A — the minimum-scope self-assessment questionnaire. We do not maintain a Cardholder Data Environment.
- Card data never touches our servers — we use Stripe Checkout and the Stripe Customer Portal.
- Stripe webhook signatures are HMAC-verified server-side with a per-endpoint signing secret.
- Subscription billing, dunning, refunds, and tax run inside Stripe; we never store full PANs or CVVs.
Privacy + consumer rights
Any individual whose data we process can request access, correction, or deletion at support@brainiacstechsolutions.com. We honor the Global Privacy Control (GPC) signal as a CCPA/CPRA opt-out automatically.
- California (CCPA/CPRA): access, deletion, correction, opt-out of sale/share, limit-use of sensitive PI. We do not sell or share data for cross-context behavioral advertising.
- EU/UK (GDPR/UK-GDPR): access, rectification, erasure, restriction, portability, objection. DPA available at /dpa.
- Breach notification: 45 CFR §164.404 (HIPAA), Cal Civ §1798.82, GDPR Art. 33/34.
- Retention windows disclosed in /privacy.
Accessibility (WCAG 2.1 AA target)
We target WCAG 2.1 AA on all customer-facing surfaces and run an automated axe-core audit on every release. The audit currently passes 0 serious/critical findings across the public marketing pages.
- Skip-to-content link on every page.
- Keyboard-navigable forms with visible focus rings.
- Honors prefers-reduced-motion on transition components.
- Automated axe-core CI gate (bin/audit-a11y.ts) blocks regressions.
What we do not claim or provide
We list these explicitly so there is no ambiguity:
- We are NOT a parts inventory ERP — basic stock-on-hand only.
- We do NOT process state inspection reporting; integration on roadmap.
Resources
Questions? Email sales@brainiacstechsolutions.com with subject "MechDeskcompliance". For BAA requests, use subject "BAA request" and include your legal entity name.