Security

Our approach to security

Carsdata operates as data infrastructure for the European automotive market, and the confidentiality, integrity and availability of the data entrusted to us is fundamental to that role. We take a defence-in-depth approach: security is built into how we design, build and operate the platform, rather than added afterwards. This page summarises the technical and organisational measures we maintain. It is provided for transparency and does not form part of any contract; specific commitments are set out in the relevant service agreement and Data Processing Agreement.

Governance and compliance

Our security programme is designed around the controls and Trust Services Criteria set out in internationally recognised frameworks — including ISO/IEC 27001 and SOC 2 — and we continually assess and improve our practices against them. We process personal data in accordance with the GDPR, and our processing on behalf of customers is governed by our Data Processing Agreement.

Security is owned at management level, supported by documented policies covering acceptable use, access control, data classification, change management, vendor management and incident response. Policies are reviewed periodically and after any significant change to our environment.

Data hosting and infrastructure

The platform runs on the infrastructure of established cloud providers that operate certified, physically secured data centres. Personal data is primarily hosted within the European Union / European Economic Area. Our infrastructure is logically segregated, deployed across resilient availability zones, and managed through infrastructure-as-code so that environments are consistent, reviewable and reproducible.

Encryption

Data in transit is encrypted using TLS over public networks. Data at rest is encrypted using strong, industry-standard algorithms. Encryption keys are managed through our cloud providers’ key management services, with access restricted to authorised systems and personnel.

Access control

Access to systems and data follows the principles of least privilege and need-to-know. Administrative access requires multi-factor authentication, is granted on a role basis, is logged, and is reviewed periodically and revoked promptly when no longer required. Where supported, customer access to the platform can be federated through single sign-on.

Network and application security

Our network is protected by firewalls, security groups and segmentation that restrict traffic to what is necessary. Applications are protected against common web vulnerabilities through secure design, input validation and hardened configurations, and public endpoints are fronted by protections against volumetric and application-layer attacks.

Secure development lifecycle

Changes to the platform go through version control, peer code review and automated testing before release. We use automated dependency and vulnerability scanning in our pipelines, separate development, staging and production environments, and follow a controlled change-management process so that releases are traceable and reversible.

Monitoring, logging and detection

We collect application, infrastructure and access logs centrally and monitor for anomalous activity and availability issues. Alerts route to the responsible team so that potential issues can be investigated and addressed promptly.

Vulnerability management and testing

We regularly scan our systems and dependencies for known vulnerabilities and remediate them on a risk-prioritised basis. We engage qualified third parties to perform periodic penetration testing and address findings according to their severity.

Backups and business continuity

Data is backed up regularly, with backups encrypted and stored separately from primary systems. We maintain business continuity and disaster recovery plans with defined recovery objectives, and we test our ability to restore service so that we can recover from disruption with minimal impact.

Personnel security

Personnel are bound by confidentiality obligations and receive security and data protection training appropriate to their role, both at onboarding and on an ongoing basis. Access to production data is limited to those who require it for their work and is removed when they change role or leave.

Sub-processors and vendor management

We engage a limited number of carefully selected sub-processors — primarily cloud infrastructure and storage providers — to deliver the Services. We assess the security posture of our vendors, bind them by appropriate contractual data protection and security obligations, and maintain an up-to-date list of sub-processors as referenced in our Data Processing Agreement.

Incident response

We maintain a documented incident response process covering detection, triage, containment, eradication, recovery and post-incident review. In the event of a personal data breach affecting customer data, we notify affected customers without undue delay and support them in meeting their own notification obligations, in line with the GDPR and our Data Processing Agreement.

Data protection and privacy

Security and privacy are handled together. We apply data-minimisation and purpose-limitation principles, process personal data in accordance with the GDPR, and govern processing carried out on behalf of customers through our Data Processing Agreement. For details of how we handle personal data, see our Privacy Policy.

Reporting a vulnerability

We welcome reports from security researchers and users. If you believe you have found a security vulnerability in Carsdata.com, please contact us at info@carsdata.com with enough detail to reproduce the issue. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that you avoid accessing or modifying data that is not your own. We will acknowledge your report and keep you informed of our progress.