Data Security

Data security at Smartcar

Learn about the measures we take to ensure the safety of the Smartcar platform.

Secure by design

Data encryption

All requests to Smartcar services are required to be communicated via Hypertext Transfer Protocol Secure (HTTPS). HTTPS ensures that data is encrypted in transit between Smartcar services and client servers and devices. All data stored by the Smartcar platform is protected with industry-standard Advanced Encryption Standard (AES) 256 bit encryption. AES ensures that information is secured even in the event of a data breach.

Network infrastructure

The Smartcar platform is hosted on industry-standard cloud infrastructure. This ensures maximum performance, resilience, and speed of deployment of Smartcar’s services. In addition, Smartcar configures and maintains best-practice network security measures at every level of the network stack. This ensures isolation of components and services to prevent unauthorized access to the Smartcar platform.

Continuous monitoring and updates

The Smartcar API is constantly monitored to ensure uptime of the platform and all integrations. The platform’s live error reporting systems ensure that Smartcar engineers can quickly and effectively identify and resolve any potential issues. The platform’s zero-downtime deployment system allows for updates with uninterrupted service.

SOC compliance

Smartcar is SOC 2 Type 2 compliant. SOC 2 Type 2 is an independent audit report which details information and assurance about Smartcar’s controls. It evaluates Smartcar’s service commitments and system requirements based on applicable trust services criteria.

ISO-compliance

ISO compliance

Smartcar is ISO 27001 & ISO 27701 compliant, ensuring top-tier information security and privacy management. ISO/IEC 27001 sets the global benchmark for Information Security Management Systems, demonstrating our commitment to safeguarding data through established risk management practices. ISO/IEC 27701 further enhances our Privacy Information Management System for continuous privacy improvement.

GDPR compliance

Smartcar is compliant with the General Data Protection Regulation (GDPR), the digital privacy legislation that aims to give citizens of the European Union more control over their personal data. Over the past several years, the Smartcar team has built a secure, consent-based platform that processes only the necessary data to serve our customers.

Annual penetration testing

Each year, Smartcar undergoes annual penetration testing (pen test), designed to expose flaws in our security system and check for potential vulnerabilities that may be exploited during a cyberattack. Our penetration test is done according to best practices, beginning with exhaustively scoping Smartcar’s services with a third-party testing team, documenting the surface area for testing, conducting the assessment, and remediating any findings.

Vulnerability Disclosure Program

As part of Smartcar’s commitment to data privacy, we’ve established a comprehensive Vulnerability Disclosure Program, which ensures a proactive approach to finding and eliminating evolving security threats. Smartcar details the in-scope target endpoints open for testing to provide ethical hackers and security researchers a framework to start with.

View our Vulnerability Disclosure Program

Smartcar’s commitment to data privacy

Smartcar’s developer platform allows apps to access car data with the vehicle owner’s consent. Smartcar is not an automotive data marketplace and does not engage in buying or selling identifiable or anonymized vehicle data.

Smartcar does not store data or build historical vehicle records. When a new data point is retrieved, it replaces any previously cached value, which is held temporarily for network efficiency. Any vehicle data not actively used by an application is promptly purged, ensuring both privacy and data security.

Data ownership

When using Smartcar to connect their cars to an app, vehicle owners are in full control of their data. No vehicle data will be accessed by or shared with any third party without the vehicle owner’s explicit consent.

Vehicle owner consent

Smartcar uses an OAuth2.0-based user consent flow that requires vehicle owners to review and accept detailed permissions before an app can make API requests to their vehicles. Vehicle owners have the ability to revoke their consent at any time.