Skip to main content
Call Now: 608-237-7033
Users Online
Trailer Shopper
ISO 9001 & ISO 27001 Aligned · Quality Repository

Our Standards. Documented.

Trailer Shopper® operates an integrated Quality Management System (ISO 9001:2015) and Information Security Management System (ISO 27001:2022). Every policy, procedure, control, and audit record is documented and version-controlled in our Quality Repository.

Documentation contents are gated. Submit a request below and our compliance team will respond within 1–2 business days.

Request AccessSee What’s Documented

Honesty First

Status: Internally aligned with ISO 9001:2015 and ISO 27001:2022. We use “aligned with” / “follows” language — not “certified”— until we complete a formal audit with an accredited certification body. Documentation, controls, and operating procedures meet the standards’ clauses. Engagement of an accredited body is on our roadmap.

Why This Matters

For Our Customers, Partners, and Vendors of Record

Vendor Onboarding

Enterprise dealers and manufacturers require formal documentation of QMS + ISMS as part of vendor approval. We have it ready.

Audit-Ready

Every privileged action is logged. Every change is traceable. Every doc is version-controlled. Internal + external auditors get what they need on day one.

Customer Trust

When you trust us with your inventory, customer list, financials, and brand — we document exactly how we protect those assets and prove it.

Document Inventory

What’s in the Repository

Titles, ISO clauses covered, and 1-line summaries are public. Contents are gated — request access below.

ISO 9001 — Quality Management

7 documents
  • Quality Repository OverviewIndex

    Quality Repository index — all documents listed with their ISO clause coverage.

  • Scope of the QMS + ISMSISO 9001 4.3, ISO 27001 4.3restricted

    Defines the scope of the integrated QMS + ISMS — products, services, locations, and information assets in scope.

  • Interested Parties RegisterISO 9001 4.2, ISO 27001 4.2restricted

    Register of interested parties (dealers, manufacturers, wholesalers, consumers, staff, regulators, suppliers, auditors) and how their requirements are addressed.

  • Quality ObjectivesISO 9001 6.2restricted

    Measurable quality objectives for the current cycle — availability, support response, listing quality, AI accuracy, DR, security posture, doc freshness.

  • Management Review RecordsISO 9001 9.3, ISO 27001 9.3confidential

    Management review cadence, inputs, outputs, agendas (quarterly mini + annual full), retention.

  • Internal Audit ProgramISO 9001 9.2, ISO 27001 9.2restricted

    Internal audit cadence (monthly spot, quarterly procedure, annual full), method, findings categories, follow-up rules.

  • Continual Improvement LogISO 9001 10.3, ISO 27001 10.1restricted

    Living log of every improvement, corrective action, preventive action, and lesson learned — sources, status, AI Agent contributions.

ISO 27001 — Information Security

2 documents
  • Information Security PolicyISO 27001 5.2, A.5.1restricted

    Top-level information security policy — confidentiality, integrity, availability commitments; defense-in-depth, zero-trust, sovereign per-dealer architecture, Post-Quantum cryptography.

  • Statement of Applicability (SoA)ISO 27001 6.1.3.drestricted

    Mapping of all 93 ISO 27001:2022 Annex A controls (A.5/A.6/A.7/A.8) to our implementation, with justifications for any not-applicable.

Policies

9 documents
  • Access Control PolicyISO 27001 A.5.15–A.5.20, A.8.2, A.8.3restricted

    Access control rules — least privilege, identity model, authentication, RBAC, periodic review.

  • Acceptable Use PolicyISO 27001 A.5.10restricted

    Acceptable-use rules for staff, contractors, and dealers with privileged access — what is and is not allowed.

  • Supplier Security PolicyISO 27001 A.5.19–A.5.23restricted

    Supplier security policy + register of Tier 1/2 suppliers, evaluation criteria, monitoring + offboarding.

  • Data Protection + Privacy PolicyISO 27001 A.5.34, ISO 27018, CCPArestricted

    Data Protection + Privacy Policy — PII categories, lawful basis, subject rights, encryption, retention, breach notification, AI training consent.

  • Cryptographic Controls PolicyISO 27001 A.8.24restricted

    Approved algorithms (AES-256-GCM, TLS 1.3, bcrypt), key management lifecycle, prohibited algorithms, rotation cadence, Post-Quantum migration roadmap.

  • Secure Development PolicyISO 27001 A.8.25–A.8.31restricted

    Secure SDLC — requirements through deploy, separation of environments, secure coding standards, AI-generated code rules, outsourced development.

  • Logging + Monitoring PolicyISO 27001 A.8.15, A.8.16, A.5.28restricted

    What we log, where, retention, integrity protection, monitoring activities (active + periodic + alerting), privacy-in-logs rules.

  • Network Security PolicyISO 27001 A.8.20–A.8.23, A.5.23restricted

    Perimeter controls (CF WAF, SBFM, Turnstile), origin firewall, egress controls, network segregation, cloud security posture.

  • Records Retention + Disposal PolicyISO 27001 A.5.33, ISO 9001 7.5.3restricted

    Retention schedule for compliance, system logs, customer data, financial, HR, vendor records; disposal procedures; legal hold; data subject deletion.

Procedures

7 documents
  • Incident Response ProcedureISO 27001 A.5.24–A.5.28restricted

    Detection, classification, response, evidence preservation, and post-incident learning for security incidents.

  • Change Management ProcedureISO 9001 8.5.6, ISO 27001 A.8.32restricted

    How code, schema, infrastructure, and config changes are planned, reviewed, tested, deployed, audited, and rolled back.

  • Backup + Recovery ProcedureISO 27001 A.8.13, A.5.29, A.5.30restricted

    RTO/RPO targets, backup tiers (B2 daily, Restic weekly, image push), restore procedures, quarterly DR drill.

  • Document Control ProcedureISO 9001 7.5, ISO 27001 7.5restricted

    How documented information is created, approved, identified, distributed, stored, controlled, and retained.

  • Vulnerability + Patch Management ProcedureISO 27001 A.8.8, A.8.32restricted

    Vulnerability + patch management — sources, CVSS-based severity, SLAs by tier, remediation workflow, zero-day handling.

  • HR Security ProcedureISO 27001 A.6 (all 8 controls), ISO 9001 7.2restricted

    HR security — screening, terms of employment, security awareness training, disciplinary process, termination + change of role, NDA, remote working, event reporting.

  • Asset Management ProcedureISO 27001 A.5.9, A.5.10, A.5.11, A.7.9, A.7.10, A.7.14restricted

    Asset categories (physical + cloud + intangible), register, classification, acceptable use, off-premises rules, storage media, return on offboarding, secure disposal.

Infrastructure + Asset Map

2 documents
  • Infrastructure + Asset MapISO 27001 A.5.9, A.8restricted

    Inventory of production assets — application nodes, Cloudflare Workers, object storage, network controls, identity systems, cryptographic material, logging, backups, AI providers.

  • Risk RegisterISO 27001 6.1.2, ISO 9001 6.1confidential

    Identified information-security and quality-management risks — likelihood × impact scoring, treatment, owner, status. 20 active risks tracked.

Audit Trails

5 documents
  • S123 — AI Security Hardening + Accessibility Remediation (2026-05-13)ISO 27001 A.8.32 + A.8.15 + A.8.21restricted

    Tier 1 (10 CF WAF rules + 1 rate-limit) + Tier 2 (prompt-injection detection, LLM hardening, output filter, auth/lead/api rate limits) + chrome contrast + new 404. Pre-deploy Restic snapshot bbaf2f4e. BUILD_ID vMRlWyp7cWVnStu7hDHzp on prod cb1+cb2. Full coverage matrix + ISO clauses A.5.28/A.5.30/A.5.34/A.8.5/A.8.15/A.8.16/A.8.21/A.8.23/A.8.28/A.8.32 + ISO 9001 8.5.6 addressed.

  • Accessibility Audit — Week of 2026-05-13ISO 27001 A.8.15 + ISO 9001 9.1restricted

    axe-core 4.10 sweep of 20 representative URLs. Totals: critical=2, serious=619, moderate=50, minor=0.

  • Accessibility Audit — Week of 2026-06-06ISO 27001 A.8.15 + ISO 9001 9.1restricted

    axe-core 4.10 sweep of 18 representative URLs. Totals: critical=0, serious=0, moderate=29, minor=0.

  • Accessibility Audit — Week of 2026-06-07ISO 27001 A.8.15 + ISO 9001 9.1restricted

    axe-core 4.10 sweep of 18 representative URLs. Totals: critical=0, serious=0, moderate=28, minor=0.

  • Accessibility Audit — Week of 2026-06-14ISO 27001 A.8.15 + ISO 9001 9.1restricted

    axe-core 4.10 sweep of 18 representative URLs. Totals: critical=0, serious=0, moderate=28, minor=0.

Per-Dealer Audit Trails

Every Dealer Gets Their Own Compliance Report

Each dealer on our platform receives a downloadable, ISO-aligned audit trail of every privileged action taken on their account — logins, configuration changes, data changes, integrations, inventory updates, lead handling. Useful for the dealer’s own internal audits, RFPs, and partner-of-record agreements.

  • Monthly auto-generated PDF reports
  • On-demand period selection (any range)
  • Cryptographically signed + verifiable
  • Maps each event to the relevant ISO 27001 control
  • Dealer keeps the report — theirs to share with their auditors

Coming Soon

Audit Trail Generator

The per-dealer audit trail generator is scheduled for our next release (S126). Active dealers will see the “Download Audit Trail” button appear in their dashboard.

Want early access for your RFP or audit? Mention it in the request form below.

How We Operate

Audit & Review Cadence

ISO 9001 + 27001 aren’t one-time paperwork. They’re continuous-improvement programs with defined review intervals. Here’s our schedule.

Daily

  • AI compliance agent run (Morgan, persona-compliance) — rule-based + AI-enhanced pulse generation across error logs, security events, deploys
  • Activity log integrity check (privileged actions, admin auth events)
  • Restic encrypted backup of database, image assets, configs, cron, .env (AES-256-GCM to B2)

Weekly

  • Document review-cycle check — any doc within 30 days of next_review_at surfaces an amber/red alert in admin dashboard
  • Restic backup integrity check against B2
  • Pending invite + access-request triage

Monthly

  • Statement of Applicability review against Annex A controls (93 controls)
  • Risk register review — emerging threats, mitigations, residual risk
  • Per-dealer audit-trail PDF generation (coming S126)

Quarterly

  • Restic full restore drill (1st of Jan/Apr/Jul/Oct) — proves disaster-recovery actually works
  • Document classification audit (public / restricted / confidential alignment)
  • Third-party / supplier security review

Annual

  • Full ISMS management review — scope, controls, objectives, performance, audit findings, improvement opportunities
  • Internal audit covering all clauses + Annex A
  • External certification audit (engagement on roadmap — not yet certified)

On Every Deploy

  • QAS Deploy Hook records commit SHA, message, files changed, and maps each touched file to its ISO 27001 control
  • evidence_summary pulse emitted to compliance_pulses — appears in admin dashboard
  • Every privileged code path is audit-logged at runtime

If You Submit a Request

Your Rights & What to Expect

What you get if approved

  • Unique access link with a 64-character single-use token
  • Read access to the documents your request covered — no edits, no downloads of confidential class without separate NDA
  • Access valid for 30 days from approval — extendable on request
  • Every view is logged for our audit trail (timestamp, IP, doc accessed)

What we don’t share publicly

  • Source code, infrastructure secrets, encryption keys, customer data
  • Internal security incident details unless you are a directly affected party or under NDA
  • Documents classified confidential without a signed Mutual NDA
  • Per-dealer business data of any dealer other than your own

How to escalate

  1. No response in 2 business days? Reply to your original request email — we’ll bump it.
  2. Request was denied and you disagree? Email [email protected] with the subject “Compliance request escalation” and your request number. A second reviewer will look at it within 1 business day.
  3. Time-sensitive (RFP deadline, vendor questionnaire)? Call 608-237-7033 and ask for the compliance team. We’ll route you live.
  4. Regulatory or legal matter (subpoena, breach notification, regulator inquiry)? Email [email protected] with subject “Legal / Regulatory”. Handled outside the normal access-request queue with elevated urgency.

All compliance correspondence is logged. Escalations don’t reset the 30-day token validity if your original request was approved — the link in your approval email continues to work for its full duration.

Request Access

Tell Us Who You Are.

Our compliance team reviews every request individually. Approval typically takes 1–2 business days. Approved requests receive a unique access link valid for 30 days.

Minimum 20 characters. Helps our team route your request to the right person.

By submitting, you agree we may store your contact details to process your request. Read our privacy policy.

Prefer to Talk?

Our Compliance Team Is Here.

Have a specific RFP requirement, vendor questionnaire, or audit deadline? Call us. We’ll route you straight to the right person.

Call 608-237-7033