Custom Software for Automotive — Inventory, DMS, Telematics, and Aftermarket

A vehicle is not a generic SKU. It carries a VIN that decodes into year, make, model, trim, engine, and a hundred build attributes; aftermarket parts attach to it through ACES and PIES fitment data that a generic catalog has no concept of; and a connected vehicle streams a firehose of telematics that a normal database is not built to absorb. The automotive sector runs on data structures that off-the-shelf commerce and CRM tools simply do not model — which is why dealers, parts sellers, and mobility operators end up with duct-taped workarounds.

We build software that speaks automotive natively. Inventory with real VIN decoding and multi-channel syndication. Aftermarket commerce where fitment filtering means a customer only ever sees parts that fit their car. Telematics platforms that handle high-volume time-series cleanly. And it is all built with the FTC Safeguards Rule in mind, because dealerships that arrange financing are now non-bank financial institutions on the hook for protecting customer financial data.

The data model is unusually specialized. VIN decoding, year-make-model-trim hierarchies, ACES and PIES fitment for parts, and the time-series volume of telematics each require purpose-built handling. A fitment mismatch sells a customer a part that does not fit and triggers a return; a naive telematics ingestion pipeline falls over the moment the fleet scales past a few hundred vehicles. The structures are well-defined industry standards, but a team that has never worked with them learns the hard way.

The integration surface is also gated in a way few industries match. Dealer management systems — CDK Global, Reynolds and Reynolds, Dealertrack, Tekion — tightly control third-party access through certified programs and contractual gates, and integration is as much a commercial negotiation as a technical one. We scope DMS integration honestly, account for the access constraints up front, and design around them rather than promising connectivity we cannot guarantee.

FTC Safeguards Rule. Dealers that arrange financing are non-bank financial institutions under the amended Safeguards Rule. That means a written information security program, a qualified individual overseeing it, access controls, encryption, MFA, and incident response on customer financial data. We build to those expectations by default and coordinate with your compliance officer on the formal program documentation. We do not give legal advice — we build the controls.

Customer PII and credit data. Auto retail collects driver-license data, Social Security numbers, and credit applications. We encrypt that data at rest and in transit, enforce least-privilege access, and keep an audit trail of who viewed credit and financial information.

Connected-vehicle and telematics privacy. Location and driving-behavior data is sensitive and increasingly regulated, including under state privacy laws. We minimize collection to what the service requires, secure the data pipeline, and support consumer access and deletion where the law applies.

PCI-DSS for payments. Service payments, parts checkout, and subscriptions route through Stripe so card data is tokenized and your environment stays in the lightest PCI scope.

Vehicle cybersecurity scope. We build dealership, fleet, and commerce software — the business and data layer. We do not perform in-vehicle ECU or CAN-bus security work; that is a specialized embedded discipline, and we scope our engagements to the application and data tier where we can deliver real value.

Next.js 16 on the App Router with React and TypeScript end-to-end for inventory, commerce, and dashboards. Postgres for the system of record, with a time-series extension or a dedicated time-series store when telematics volume demands it. Prisma or Drizzle as the type-safe ORM. Stripe for service, parts, and subscription payments so PCI scope stays light.

VIN decoding runs against a maintained data source; fitment is modeled on ACES and PIES so the catalog filters correctly. A background worker layer (Inngest or BullMQ on Redis) handles syndication, telematics ingestion, and feed updates that should not block a request. Sensitive customer financial data gets envelope encryption and strict access logging to satisfy the Safeguards Rule. Sentry plus a log aggregator for observability, with PII redaction in the logger. The web tier deploys to Vercel; high-volume telematics ingestion and the data plane move to a hardened, scalable environment when load requires it.

First, treating fitment as a search filter instead of a data model. Aftermarket commerce that bolts a few attributes onto a generic catalog sells customers parts that do not fit, and returns eat the margin. ACES and PIES exist for a reason — model fitment properly or the catalog will lie to customers.

Second, assuming DMS access. Teams design an integration around live DMS data and discover the platform gates access behind a certification program, a fee, and a contract the dealer has not signed. We scope the DMS path as a commercial-and-technical question up front so the build is not blocked by an access wall halfway through.

Third, under-engineering telematics ingestion. A pipeline that works for a demo fleet of ten vehicles collapses at a thousand, because the time-series volume is an order of magnitude beyond what a naive design handles. Build the ingestion for the scale the fleet will actually reach.

Automotive software touches customer credit applications and the financial data the Safeguards Rule now obligates dealers to protect — not the kind of thing you want on an anonymous contractor's laptop overseas. And the specialized data work, from fitment to telematics, rewards a senior who has done it before. We are US-based and founder-led, and the person who designs your data model and your customer-data controls is reachable when it matters.

William Beltz writes or reviews every line that touches customer financial data, inventory, and the integrations that carry it. NDAs are mutual and signed before discovery. Source code lives in your GitHub organization, not ours. The handoff is documented for either ongoing collaboration or in-house ownership — your call.

Dealerships are frequent ransomware and data-theft targets because they hold credit applications and customer financial data, and a 2024 DMS-vendor outage showed how disruptive an attack on the sector can be. We run penetration tests mapped to the MITRE ATT&CK techniques those attackers actually use, then deliver a heatmap of which techniques succeed, which get detected, and which get blocked.

For the inventory systems, commerce storefronts, telematics dashboards, and F&I tooling that carry customer and vehicle data, web application penetration testing covers authentication, authorization, the payment boundary, and the integration endpoints that connect to your other systems. Every finding maps to ATT&CK technique IDs so your team knows what to alert on.