CarGurus takes security seriously

Here are our practices.

We employ rigorous security measures at the organisational, architectural and operational levels to protect our applications, our infrastructure and the data of our customers and website visitors. At CarGurus, we actively promote security awareness, provide training on data protection and implement best practices so that security principles and data privacy are at the forefront for our employees. CarGurus considers information security principles when designing our platform, managing our networks and conducting our daily business operations.

Governance

CarGurus has implemented formal data privacy, information security and acceptable use policies that govern employee activities. We train our employees on these policies during onboarding and regularly thereafter. In addition, we rely on our Information Security and IT teams to enforce policies through the implementation of technical controls.

Risk management

CarGurus performs regular information security risk assessments covering our facilities, systems and information assets. We share risk assessment results and risk mitigation suggestions with senior management, as appropriate. Our risk assessment results specify proposed changes to systems, processes, policies and tools to reduce security vulnerabilities and threats to CarGurus, its customers and its website visitors. We mitigate risks through the implementation of policies, procedures and controls.

Vendor security management

CarGurus conducts and records vendor security assessments for its service providers. Vendors are approved or rejected based on their relative security posture and the risk they would introduce for CarGurus.

Security operations

CarGurus uses identity and access management controls to provide access to our systems through user accounts with appropriate privileges. CarGurus provisions all critical network and application access using the principle of least privilege. We limit key administrative access to authorised personnel. Provisioning and deprovisioning procedures exist to document the relevant access levels and approvals granted to critical systems and data. We conduct periodic access reviews for critical systems and applications using a risk-based approach.

CarGurus uses a vulnerability management program to identify and remediate vulnerabilities across our networks, reducing exposure and minimising our attack surface. We also conduct 24/7 monitoring of our critical systems.

Access control

CarGurus uses identity and access management controls to provide access to our systems through user accounts with appropriate privileges. CarGurus provisions all critical network and application access using the principle of least privilege. We limit key administrative access to authorised personnel. Provisioning and deprovisioning procedures exist to document the relevant access levels and approvals granted to critical systems and data. We conduct periodic access reviews for critical systems and applications using a risk-based approach.

CarGurus uses an identity management single sign-on platform provider for our critical business applications. We assign users unique IDs and enforce password requirements that align, at a minimum, with NIST standards. Our identity management platform enforces CarGurus’ password policy and requires multifactor authentication.

Physical security

The CarGurus platform is hosted in the cloud and in state-of-the-art data centres. The co-located data centres provide physical and environmental security controls (including biometric identification, supervised entry, 24/7/365 on-premises security teams and CCTV systems). Access to data centres is restricted to authorised individuals. Our data centre facilities maintain SOC 2 reports, which describe and test the internal controls of the service organisation.

Data privacy and protection

CarGurus takes the protection of personal data seriously. Databases are gated by role-based access controls, and multi-factor authentication is enforced on log-in. CarGurus employs recognised encryption protocols for data in transit and at rest.

CarGurus recognises and adheres to data privacy laws and regulations, including the EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA) and the PCI Data Security Standard. The GDPR and CCPA impose obligations regarding the collecting, processing and transmission of personal data. CarGurus has implemented controls across our organisation so that we can better achieve and maintain compliance with these fr ameworks. For more information about our data privacy practices, please visit CarGurus’ Privacy Statement [link to the country- and language-specific Privacy Statement].

Security awareness

CarGurus delivers security awareness and data privacy training to employees during the onboarding process and regularly thereafter. Additionally, our Information Security team frequently publicises alerts and security tips through internal communications channels.

Availability

CarGurus maintains documented backup procedures. CarGurus regularly performs full backups of all production databases. Data backups are replicated to an offsite location on a regular schedule.

Application security

CarGurus employs both internal and external testing of our platform. We’ve also partnered with a third-party platform to host our bug bounty program, enabling security researchers to securely report vulnerabilities and bugs in CarGurus platforms and systems. In addition, we’ve engaged a security expert to conduct external network and web application penetration testing on a periodic basis. CarGurus applies a systematic approach to managing change so that changes to services impacting CarGurus and our customers are first reviewed, tested and approved. The goal of CarGurus’ change management process is to prevent unintended changes from reaching our production environment. All critical changes deployed to production undergo a review, testing and approval process before release.