How much does GoFetch cost?

Standard is $199, Premium is $399, Exotic is $1,999. If we can't save you more than our fee, you pay nothing.

Do I ever have to visit a dealership?

No. We handle everything remotely — negotiation, paperwork, and delivery coordination.

How much will I save?

Our average client saves $3,400. Premium and exotic vehicles often see $5,000-$10,000+ in savings.

How long does the process take?

Most deals close within 3-7 days. ASAP requests can be completed in 48 hours.

Security & Compliance

Built for the buyers who hand us their license and credit pull.

Five layers. One brain. Zero ad-network surveillance.

Most car-buying sites are lead farms — your name and number reach ten dealers in ten minutes, and the spam never stops. GoFetch is engineered so that the only people who see your information are the ones you explicitly say can.

Get a Free Quote Read the Architecture ↓

AWAIS IQ 145·261 attack patterns catalogued·0 buyer breaches

Five layers of defense

Stack the layers. Break one, the next holds.

Each layer is implemented in our own code, audited at every PR, and instrumented with cron health checks. No third-party security-theatre dependencies.

Buyer PII encryption at rest

Driver's license images, ID OCR fields, addresses, credit pre-qual pulls — all AES-GCM encrypted at the application layer before Postgres ever sees them. Envelope-encrypted keys. We hash phones for dealer-side webhook matching so plaintext never has to leave our keystore.

Homegrown TOTP MFA

RFC 6238 implementation. AES-GCM wrapped secrets, bcrypt-hashed backup codes, 5-minute pending-MFA cookie for the challenge flow. Required on every buyer portal session that touches an active deal in F&I.

AWAIS application-layer defense

Embedded request-wire on every endpoint. Per-request bot scoring, kill-chain detection, JA3/JA4 TLS fingerprinting, Claude Haiku attack-intent explanation layer. 66 diagnostic rules, 53 error signatures, 261 root causes. IQ 145 self-grading.

Dealer-token isolation

Every FetchEye marketplace bid carries a scoped routing token. Tokens are dealer-bound, time-bound, and HMAC-signed. A compromised dealer account cannot see another dealer's bid book, buyer roster, or fee structure. Cross-tenant queries throw at the model layer.

Audit trail (soft-delete only)

Buyers, deals, dealer messages, and portal events are never hard-deleted — only flagged via deletedAt. Every state change writes an activity row. Crons are instrumented through cron_runs for retroactive forensics on any disputed deal.

The AI watchdog

AWAIS — the category we created

Autonomous Web Application Intelligence System. Embedded inside the app — not bolted on like a WAF. Learns attacker playbooks, plants deception, evolves its own rules, and watches all five products in the Gladius ecosystem — including GoFetch — through one brain.

$0 inference cost · pure-math algorithms
66 rules · 53 signatures · 261 root causes · IQ 145
Sentinel Mesh — federation events propagate across 5 products in <30s

Watch the mesh live →

$ awais --status --verbose

iq_score ........ 145

rules_active .... 66 / 66

signatures ...... 53 / 53

patterns ........ 261 / 261

products ........ 5 (mesh OK)

mesh_lag ........ 11s (p95)

ready. watching all surfaces.

What we’re certified for

Honest about the box-checks. No marketing gloss.

We publish where we’re compliant, where we’re in progress, and where the framework doesn’t apply. If you’re an auditor, your evidence packet is ready.

FTC Safeguards Rule

Compliant

Column-level PII encryption, access controls, MFA on every account, encryption-in-transit (TLS 1.3 + HSTS preload), incident response plan, vendor risk management. Yes — it applies to us, because we facilitate the financing pre-qual.

GLBA — buyer NPI handling

Compliant

Buyer non-public information (income, SSN-tails, credit pull) is encrypted in flight and at rest, dealer-scoped on disclosure, and never sold. Privacy notice surfaced to consumers via /privacy.

SOC 2 Type II

In progress

Trust services criteria mapped to controls. Continuous evidence collection in place. Auditor engagement targeted Q4 2026. We will publish the report under NDA on request.

PCI-DSS

By design

Card data never touches our servers. Stripe Elements hosts the form; we receive only a tokenized reference. Out-of-scope for the full PCI envelope.

Request architecture

Every request, six checkpoints deep.

A request from a buyer’s phone or a dealer’s desk has to clear all six before it touches a database row. Each checkpoint is its own audit log.

Request

Browser → Vercel Edge / CDN. TLS 1.3, HSTS preload, COOP, CORP. Strict CSP rejects unknown script origins.

AWAIS gate

Every request screened by Defense — bot scoring, fingerprint, behavioral z-score, deception traps. Hostile traffic gets a doppler response, never the real route.

Next.js Edge / Node runtime

Stateless HMAC-signed session in an httpOnly + Secure + SameSite=Lax cookie. Homegrown auth — no third-party identity vendor dependency.

tRPC middleware (buyer / dealer gate)

Session decoded, role resolved, MFA verified. Buyer-side and dealer-side routes are split: a dealer-token request cannot reach a buyer-portal handler and vice versa. Every input passes Zod validation.

Prisma ORM

Parameterized queries only — no string-concat SQL anywhere in the surface. Buyer ID required on every read; cross-tenant queries throw at the model layer.

Postgres

Encrypted at rest. RLS policies as defense-in-depth. Backups encrypted with separate KMS keys. Soft-delete only on every revenue-bearing table.

vs. the lead-farm car-buying sites

The same lead-resale model that leaks your phone to 10 dealers in 10 minutes.

Free car-buying sites work for dealers, not you. Here’s how GoFetch is engineered differently — because the buyer pays us, so the buyer is the customer.

Control

GoFetch

Typical lead-farm site

Buyer PII column-level encryption

AES-GCM in every PII column

Row-level disk encryption only

Lead resale to dealers

Never. Buyer pays us — dealers don't.

TrueCar / AAA / Costco — $299-$399 per lead

MFA enforcement

Required on every active deal session

Optional, opt-in only

Application-layer threat detection

AWAIS — embedded, self-learning

Perimeter WAF only

Dealer-side data isolation

Scoped HMAC tokens per dealer per deal

Shared CRM, app-level filter only

Breach disclosure SLA

72 hours, in writing, in the buyer contract

Silence until press inquiry

“Typical lead-farm site” column reflects publicly documented business models from TrueCar, AAA Auto, Costco Auto, and similar free-to-buyer aggregators. If a specific operator has since improved, send a pointer to security@gofetchauto.com and we’ll happily update.

Our pledges

Written down. In the buyer contract.

These are not aspirations — they live in our service agreement and they hold in court.

01We will disclose any confirmed security incident affecting buyer data within 72 hours of confirmation, in writing, to every affected buyer. This commitment lives in our service agreement.
02We will never sell, share, or syndicate buyer personal information to dealers, marketers, lead resellers, or AI training pipelines. You pay us. The dealers don't. That's how the alignment works.
03We will never let a dealer access a deal that has not been explicitly assigned to them via the FetchEye marketplace flow.
04Researchers who report a vulnerability in good faith will not face legal action. We pay bug bounties out of pocket — see below.

Responsible disclosure

Found a vulnerability? We’ll pay you and thank you.

Email security@gofetchauto.com with a description, reproduction steps, and the impact you believe it has. We acknowledge within 24 hours, fix high-severity issues within 7 days, and pay a bounty from $250 for low-impact findings up to $10,000 for critical pre-auth RCE or cross-buyer data crossing. No legal action against good-faith researchers — that’s our pledge.

security@gofetchauto.com

Ack SLA

24 hours

Bounty range

$250 – $10,000

GoFetch Auto LLC · Tampa, FL · 2026