We take a minute to break down the steps that Recurrent, and our API partner Smartcar, use to ensure that your car is safe.
Sometimes we get questions about the security and protection of your personal data once you sign up for monthly reports with Recurrent. We take a minute to break down the steps that Recurrent, and our API partner Smartcar, use to ensure that your car is safe.
First off, Recurrent itself does not store your vehicle credentials or have access to your vehicle in any way. We establish a connection to your vehicle through Smartcar. Their service creates secure "Access" and "Refresh" tokens which grant access only to specific data from your car: odometer, battery state of charge, current range estimate, and whether or not you are currently charging. In addition to these tokens, Recurrent also stores your email address, the zip code you entered when registered, anonymized data from your car, and your VIN. You can read more here.
Recurrent uses industry standard best practices to ensure our systems and data are secure. In the unlikely event that Recurrent were compromised, a hacker would need to not just grab the Smartcar tokens for each of the vehicles, but also the decryption key that we use to prove that Recurrent is the one requesting the data. They'd then have to use said key with Smartcar's API - and even if they got that far, they'd only have access to the data points we currently pull, and would not be able to do things like lock the vehicle or remotely turn on the car's ignition. Additionally, the decryption key and all access tokens can be remotely invalidated by either Recurrent or Smartcar at any time to halt further access.
In order for a hacker to get tokens with full access to more vehicle features, they would need to compromise Smartcar itself. Unlike many third party apps, Smartcar is SOC 2 Type 2 compliant, and regularly gets external security audits to make sure we're as secure as possible. You can take a look at their data security policy here: https://smartcar.com/data-security/