TISAX-certified annotation platforms meet the information security requirements that European automotive OEMs and Tier-1 suppliers demand from vendors handling production vehicle sensor data. Kognic holds TISAX Assessment Level 3, the highest level required for processing high-protection automotive data.
TISAX (Trusted Information Security Assessment Exchange) is the German automotive industry's information security framework, governed by the ENX Association on behalf of VDA (Verband der Automobilindustrie, the German Association of the Automotive Industry).
It exists because automotive supply chains involve hundreds of vendors handling sensitive data: vehicle blueprints, prototype specifications, raw sensor recordings from test fleets, and customer information. Every OEM used to audit every vendor independently, which was duplicative and expensive. TISAX consolidated this into a single certification model. A vendor gets assessed once by an accredited auditor, and the result is recognized by all OEMs participating in the network.
TISAX is administered through the ENX portal. Assessments are performed by accredited audit providers and follow the VDA Information Security Assessment (ISA) catalogue, a structured set of controls covering information security, data protection, prototype protection, and connection security.
Autonomous driving programs generate enormous volumes of sensitive data. Camera footage, LiDAR point clouds, radar streams, and behaviour logs from test fleets fall under high-protection categories under the VDA ISA catalogue. They contain proprietary vehicle setups, identifiable individuals in some cases, and reveal the OEM's testing locations and strategies.
When an OEM contracts an annotation vendor, the vendor inherits responsibility for protecting that data through the full annotation pipeline: data ingest, annotator workstations, quality review systems, and delivery infrastructure. If any of those have weak controls, the OEM's data is at risk.
TISAX certification gives OEMs a single, recognized signal that the vendor meets the information security baseline. Most European OEMs now require TISAX certification before signing production contracts. Vendors without it are typically limited to non-sensitive pilot programs or simulation data.
For AV annotation specifically, the protected data tends to include:
TISAX defines three Assessment Levels, mapped to the protection needs of the data being handled:
For AV annotation vendors handling production OEM data, AL3 is the level that matters. AL1 is essentially self-declared and AL2 doesn't reach the depth of audit that OEMs typically require for production contracts.
Each assessment is valid for three years and must be renewed through the same process. Vendors must maintain controls between audits and can be subject to follow-up checks.
An AL3 audit is not a paper exercise. The auditor examines evidence across the full ISA catalogue, with specific focus on:
Governance and risk management. Information security policies, risk assessment processes, supplier management, incident response, and business continuity planning. The auditor verifies the policies exist, are followed, and are reviewed regularly.
Access control and identity management. Multi-factor authentication, least-privilege access, account lifecycle management, and audit logging. For an annotation vendor, this includes how annotator accounts are provisioned, what data each annotator can access, and how access is revoked.
Physical and environmental security. Office access controls, server room security, asset management, and clean-desk policies. For remote-first annotation operations, this extends to home office security and device management.
Operations security. Patch management, vulnerability scanning, malware protection, network segmentation, and secure development practices.
Data protection. Encryption at rest and in transit, data classification, retention policies, and secure deletion. For an annotation vendor, this includes how OEM data is stored, who can export it, and how it is destroyed after contract end.
Supplier and connection security. Third-party risk management and secure connections to OEM systems.
The auditor verifies each control through documentation review, technical testing, and interviews with personnel across multiple levels of the organization.
The number of annotation platforms holding TISAX certification at AL3 is small. Most general-purpose labeling platforms (Scale AI, Labelbox, V7, SuperAnnotate) do not publicly list TISAX certification. CVAT is open-source and not a managed service. Annotation platforms focused on the European automotive market are the most likely to be certified.
Verifying current status is straightforward: the ENX portal at portal.enx.com/en-US/TISAX lets you search for a vendor by name and see their current assessment status, level, and the data labels included.
If you are evaluating annotation vendors for a European OEM program, ask each vendor for their TISAX scope ID and verify it directly. Don't rely on marketing pages that mention TISAX without specifying the assessment level or scope.
Kognic holds TISAX Assessment Level 3, the highest level. The certification covers the full annotation pipeline:
You can verify Kognic's TISAX status directly on the ENX portal. TISAX AL3 means Kognic meets the security baseline for production autonomous driving programs at the major European OEMs (BMW, Mercedes-Benz, Volkswagen group, Volvo, Stellantis) as well as Tier-1 suppliers operating in those supply chains.
Four steps to verify before signing:
For some programs, OEMs additionally require a separate Data Protection (DP) label or a Connection-to-Third-Parties (CTP) label on top of the base assessment. Confirm with the OEM's procurement team what labels apply to your project before committing to a vendor.
TISAX (Trusted Information Security Assessment Exchange) is the German automotive industry's information security certification, governed by the ENX Association on behalf of VDA. It standardizes information security audits across automotive supply chains so that a single assessment is recognized by all participating OEMs. TISAX assessments are based on the VDA ISA catalogue and are performed by accredited auditors.
Kognic holds TISAX Assessment Level 3 (the highest level) certification, covering the full annotation pipeline from ingest through delivery. Most general-purpose labeling platforms do not publicly list TISAX certification, since their primary market is not European automotive. To verify any vendor's current TISAX status, search the ENX portal at portal.enx.com/en-US/TISAX with the vendor name.
Assessment Level 3 (AL3) is the highest TISAX level. It requires a full on-site audit by an accredited auditor with deep evidence review and process observation across the VDA ISA catalogue. AL3 is required for vendors handling high-protection and very-high-protection automotive data, which includes production sensor streams from autonomous driving programs.
For production contracts with European OEMs handling sensitive vehicle data, TISAX is effectively required. Vendors without TISAX certification are typically limited to non-sensitive pilot work, public datasets, or simulation data. The exact requirement depends on the data classification of each project and the OEM's procurement standards.
TISAX certifications are valid for three years from the date of assessment. Renewal requires a new assessment cycle with the accredited auditor. Vendors must maintain the controls covered by the certification between audits and may be subject to follow-up checks.
ISO 27001 is the international standard for information security management systems, recognized across industries globally. TISAX is specific to the automotive industry and uses a control catalogue (VDA ISA) tailored to automotive supply chain requirements. ISO 27001 is broader; TISAX is deeper for automotive use cases.
Yes. TISAX is run by ENX in Germany but is open to vendors from any region. The assessment is performed against the same VDA ISA catalogue regardless of vendor location. US-based or other non-European annotation platforms can pursue and hold TISAX certification.
Search the ENX portal at portal.enx.com/en-US/TISAX with the vendor's name. The portal shows current assessment status, level, scope, and validity dates. Ask vendors to provide their TISAX scope ID directly. A vendor that cannot supply a scope ID likely does not hold a current certification.
Ready to learn more about how Kognic's TISAX-certified annotation platform handles your production data? Book a demo or explore the Kognic annotation platform and our ADAS annotation capabilities.