Data has become essential for the business of automotive companies because it drives innovation, efficiency, and customer satisfaction across the entire vehicle lifecycle. Customer-related information, such as purchase histories, usage patterns from connected cars, and preferences captured via apps or dealer interactions, is used to personalize services, plan maintenance, and design new features, and it therefore includes sensitive personal data. At the same time, detailed product data about parts, software, and services in and around the vehicle underpins functions like predictive maintenance, remote diagnostics, and over-the-air updates. As the automotive value chain typically spans multiple companies – for example, original equipment manufacturers (OEMs), suppliers, dealerships, mobility providers, insurers, and software vendors – these partners must exchange both customer and product data securely across company boundaries to enable services such as warranty handling, fleet management, or pay‑per‑use features while protecting confidentiality, integrity, and privacy. The automotive industry is also rapidly transforming through the use of data and artificial intelligence (AI), but this innovation is unfolding within an increasingly complex and evolving regulatory landscape, influenced by initiatives such as the EU Data Act (see the following blog) on access to vehicle-generated data and the NIS2 Directive on strengthened cybersecurity obligations. Many of these regulatory changes remain largely invisible to customers, yet they significantly affect how automotive companies design, deploy, and manage AI‑driven systems, making it crucial to use appropriate certifications and governance frameworks to ensure compliance, build trust, and demonstrate leadership in the responsible use of data and AI.
Content
- ISO/IEC 27001 – Information Security Management
- ISO/IEC 42001 – Artificial Intelligence Management System
- ISO 26262 – Functional Safety for Road Vehicles
- SOC – Data Protection and Privacy
- ISO/IEC 27701 – Privacy Information Management
- UNECE WP.29 Cybersecurity & Software Update Regulations
- PCI-DSS
- TISAX certification for AWS and GCP (Azure to follow)
- Final Thoughts
1. ISO/IEC 27001 – Information Security Management
ISO/IEC 27001 focuses on managing and protecting sensitive company information through a risk-based approach and defined controls. This certification indicates that an Information Security Management System (ISMS) has been implemented in accordance with the requirements of the ISO 27001 standard. It mainly lays a foundation for safeguarding information assets. Applications include all data along the value chain of products, such as designs, intellectual property, production data, or customer information. Certification proves to regulators, partners, and customers that the company’s information security practices meet globally recognized standards, forming a basis for other automotive-specific requirements and industry trust.
The certifications ISO/IEC 27701, ISO/IEC 27017, and ISO/IEC 27018 are specialized extensions that address privacy and cloud security concerns, which are increasingly relevant as automotive companies move toward connected vehicles, cloud-based data processing, and compliance with global data protection regulations.
As of the time of writing, Databricks is ISO/IEC 27001 certified.
- ISO/IEC 42001 – Artificial Intelligence Management System
The ISO/IEC 42001 certificate for the Artificial Intelligence Management System (AIMS) provides a framework for the responsible use, governance, and risk management of artificial intelligence, which is now foundational to vehicle technology and operations. It is designed to integrate with established automotive standards and helps automotive manufacturers proactively identify and address AI-specific risks. Furthermore, it demonstrates compliance with evolving global regulations, such as the EU AI Act.
As of the time of writing, Databricks has not yet completed independent certification against ISO/IEC 42001. However, this reflects timing and certification prioritization rather than a lack of maturity. Databricks has established a comprehensive AI Security Framework (DASF), has been a major contributor to leading standards bodies such as NIST and FAIR, and has been consulted as part of the EU AI Act. Databricks’ approach to AI security and responsible AI is fully documented on the Databricks Trust Center. In short, our practices are well aligned with the principles of ISO/IEC 42001, and formal certification is planned, with current customer demand driving the sequencing of certifications.
3. ISO 26262 – Functional Safety for Road Vehicles
ISO 26262 is the standard for functional safety of electrical and electronic systems in road vehicles. For companies developing autonomous driving systems or AI-assisted safety features, this certification ensures compliance with rigorous safety requirements.
Databricks is a Data and AI platform and does not directly develop products for functional safety.
Therefore, Databricks is not ISO 26262 certified.
4. SOC – Data Protection and Privacy
With connected vehicles and cloud-based services, data protection is vital. SOC is crucial for automotive manufacturing because it establishes a strong framework for data security, availability, and privacy. It protects sensitive operational and customer information and therefore builds trust with clients and partners. It demonstrates independently verified controls and a strong commitment to data protection.
As of the time of writing, Databricks is SOC compliant.
- ISO/IEC 27701 – Privacy Information Management
As an extension of ISO/IEC 27001, ISO/IEC 27701 focuses on privacy management. It is important for automotive manufacturing because it provides a formal privacy framework that helps manufacturers manage and protect the growing volumes of personal information processed by connected vehicles and digital systems. By implementing this standard, automotive companies can ensure compliance with global data privacy regulations, minimize breach risks, and embed strong privacy practices into business operations. This, in turn, builds trust with consumers, partners, and regulators. Ultimately, the certification demonstrates a clear commitment to responsible data handling in a rapidly evolving, technology-driven industry.
As of the time of writing, Databricks is ISO/IEC 27701:2019 certified.
- UNECE WP.29 Cybersecurity & Software Update Regulations
Adopted by many regions, UNECE WP.29 mandates that automotive manufacturers implement certified cybersecurity and software update management systems. This means OEMs must take responsibility not only for vehicle design security but also for maintaining cybersecurity and providing secure updates after the vehicles are sold. Compliance is critical for market access in over 50 countries. Note that OEMs need to ensure cybersecurity for both in-house and supplier-provided software, which impacts procurement and development practices. Compliance ensures that AI-enabled vehicles are resilient against cyber threats and can be securely updated throughout their lifecycle.
Databricks is a Data and AI platform, while this certification is more relevant for automotive OEMs. Therefore, Databricks is not certified.
- PCI-DSS
PCI-DSS certification is crucial for automotive manufacturing companies that process, transmit, or store payment card data, such as through vehicle infotainment systems or direct-to-consumer transactions involving credit cards. One example of in-car payment systems is the ability to enable customers to fuel at service stations directly from their car using credit or debit cards.
As of the time of writing, Databricks is audited against PCI DSS 4.0 at the Level 1 service provider tier, and offers PCI‑compliant deployment options across AWS, Azure, and Google Cloud.
- TISAX
Databricks continues to meet region- and industry-specific requirements. Notably, Databricks has recently achieved TISAX certification for deployments on AWS and Google Cloud Platform, with Microsoft Azure to follow. TISAX (Trusted Information Security Assessment Exchange) is an information security assessment and exchange mechanism developed by the German automotive industry to ensure a consistent, high level of protection for sensitive data across suppliers and partners. It is particularly important for organizations handling automotive intellectual property, personal data, and prototype or production-related information, and is often a prerequisite for working with major automotive manufacturers. While TISAX is region-specific, it remains highly relevant given the concentration of global automotive OEMs in Germany. This highlights the breadth and complexity of the compliance landscape Databricks operates in: alongside global, cross-industry standards, we also address rigorous regional and sector-specific frameworks, without diminishing our overall security, governance, or risk management posture.
Final Thoughts
Data protection and security are critical in automotive manufacturing because the industry’s value chain is extensive, involving numerous suppliers, partners, software developers, and service providers who exchange vast amounts of sensitive data. Each stage - from design and prototyping to production, logistics, and after-sales - relies on connected systems and data sharing, making the entire network vulnerable to cyberattacks and data breaches. Protecting intellectual property, supply chain data, and vehicle software ensures operational continuity, prevents financial losses, and upholds consumer trust. Effective data security also helps manufacturers comply with regulations and safeguard emerging technologies such as autonomous driving and connected services, which depend on the integrity and confidentiality of shared information.
Databricks maintains extensive certifications and provides a self-service due diligence package, which includes key documents such as ISO certifications and SOC 2 reports. For a single destination covering architecture, security features, best practices, compliance and privacy resources, visit the Security & Trust Center.
We also recommend you to check the following white paper on GxP.
