SOC 2 Type II Certified

Trust Center

CarsXE is committed to protecting your data with industry-leading security practices. Our SOC 2 Type II certification validates our dedication to security, availability, and confidentiality.

SOC 2 Type II
Clean Opinion
ISO 27001
In Progress
SOC 2 Type II

SOC 2 Type II Certified

Audited by GreenHat Assurance

Our SOC 2 Type II report covers Security, Availability, and Confidentiality trust service criteria, confirming that CarsXE maintains rigorous controls over an extended observation period.

Clean OpinionAnnual AuditTrust Service Criteria
ISO 27001

ISO 27001

In Progress

We are actively working toward ISO 27001 certification to further strengthen our information security management system.

Security at Every Layer

Our security program is built on multiple layers of protection, validated through independent third-party audits and continuous monitoring.

SOC 2 Type II

Independent audit by GreenHat Assurance confirming our controls over security, availability, and confidentiality trust service criteria.

99.9% Uptime SLA

Enterprise-grade availability backed by a contractual SLA with service credits for any downtime below our commitment.

AES-256 Encryption at Rest

All stored data is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies.

TLS 1.3 In Transit

All API communications are encrypted with TLS 1.3, ensuring data integrity and confidentiality during transmission.

Continuous Monitoring

24/7 automated monitoring with real-time alerting, anomaly detection, and incident response procedures.

Access Controls

Role-based access controls, multi-factor authentication, and least-privilege principles enforced across all systems.

Security Controls

Our comprehensive security program encompasses 75 controls across five domains, independently verified through our SOC 2 audit.

Architecture Diagram
Platform Availability Monitoring
Platform Availability Alerts
Platform Availability Architecture
Recovery Plan Testing
Data Subject Request Processing
Cloud Security Posture Management
Vulnerability Management
Vendor Inventory

SOC 2 Type II Certification

Our SOC 2 Type II report, issued by GreenHat Assurance, provides independent verification that CarsXE's information security practices, policies, procedures, and operations meet the SOC 2 standards for security, availability, and confidentiality.

What is SOC 2?

SOC 2 (Service Organization Control 2) is a framework developed by the AICPA that defines criteria for managing customer data based on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.

Why Type II?

Unlike Type I, which evaluates controls at a single point in time, Type II assesses the operational effectiveness of those controls over an extended observation period — typically 6 to 12 months — providing a higher level of assurance.

Independent Auditor

GreenHat Assurance, our independent auditor, has issued a clean opinion confirming that our controls are suitably designed and operating effectively throughout the audit period.

Uptime & Reliability

We understand that your business depends on reliable access to vehicle data. That's why we commit to a 99.9% uptime SLA, backed by our robust infrastructure and proactive monitoring.

99.9% Uptime Guarantee

Our contractual SLA guarantees 99.9% availability, and we offer service credits if we fall below this commitment.

Redundant Infrastructure

Multi-region deployment with automatic failover ensures your API requests are served even during infrastructure events.

Real-Time Status

Monitor our current system status and historical uptime at any time through our public status page.

View Status Page

Data Encryption Standards

We employ defense-in-depth encryption strategies to protect your data at every stage — whether at rest in our databases or in transit across the network.

Encryption at Rest

  • AES-256 encryption for all stored data
  • Encryption keys managed through cloud-native KMS
  • Automatic key rotation policies
  • Encrypted database backups

Encryption in Transit

  • TLS 1.3 enforced on all API endpoints
  • HSTS headers with long max-age
  • Certificate transparency monitoring
  • Forward secrecy enabled

Infrastructure & Operations

Our platform runs on enterprise-grade cloud infrastructure with multiple layers of security controls.

Cloud-Native Architecture

Built on Google Cloud Platform with multi-region redundancy, auto-scaling, and managed services.

Network Security

Web application firewall, DDoS protection, and network segmentation to isolate and protect critical services.

Vulnerability Management

Regular penetration testing, automated vulnerability scanning, and a responsible disclosure program.

Incident Response

Documented incident response procedures with defined escalation paths, communication plans, and post-incident reviews.

Resource Library

Access our compliance documentation and reports.

CarsXE - Letter of Engagement from Mycroft

PDF Document

Request Access

CarsXE SOC 2 Type 2 Report - March 2026

PDF Document

Request Access

Download Our SOC 2 Type II Report

Request a copy of our full SOC 2 Type II report to review our security controls and audit findings in detail. Available to qualified businesses.

The SOC 2 report is shared under NDA. Our team will review your request and follow up directly.

The SOC 2 report is shared under NDA. Our team will review your request and follow up directly.

Frequently Asked Questions

What does SOC 2 Type II mean for my data?
SOC 2 Type II certification means an independent auditor (GreenHat Assurance) has verified that CarsXE maintains effective security controls over an extended period. This provides assurance that your data is handled with the highest standards of security, availability, and confidentiality.
How often is the SOC 2 audit conducted?
We undergo SOC 2 Type II audits annually to ensure our controls remain effective and up-to-date with evolving security standards.
Can I see the full SOC 2 report?
Yes. Use the form on this page to request a copy of our SOC 2 Type II report. Due to the sensitive nature of the report, it is shared under NDA with qualified businesses.
What is your uptime SLA?
We offer a 99.9% uptime SLA. You can monitor our real-time and historical availability on our public status page. If we fall below our SLA commitment, eligible customers receive service credits.
How is my API key protected?
API keys are stored using industry-standard encryption, transmitted only over TLS-encrypted connections, and can be rotated at any time from your dashboard. We also support IP allowlisting for additional access control.
Where is CarsXE data hosted?
CarsXE infrastructure runs on Google Cloud Platform with data primarily hosted in the United States. We use multi-region redundancy to ensure high availability and disaster recovery capabilities.
How does CarsXE protect my data and ensure privacy?
We employ robust security measures including API key authentication, SSL/TLS encryption for data in transit, and strict access controls to ensure only authorized personnel can manage data. All Personal Identifiable Information (PII) is restricted and managed under a clear data governance policy.
Who can access my API or vehicle data on the CarsXE platform?
Access to your data is strictly controlled. Data is secured using API key authentication, and access is limited to your application, its authorized users, and the necessary backend systems. We do not share your data with third parties without your explicit consent.
Is CarsXE compliant with major data protection regulations?
Yes, CarsXE is committed to maintaining compliance with relevant global and regional data protection regulations to ensure the highest standards of security and privacy for our users. You can find more details in our Privacy Policy. Privacy Policy