PRIVACY COMMITMENT AND POLICY
Our Commitment to Global Data Privacy Compliance
Executive Management Accountability
alertdriving has designated a senior management executive to oversee the company's compliance with Global Data Privacy and Information Security Principles. If you have questions or concerns regarding your privacy or Personal Information, you may contact us at the address listed below:
Chief Privacy Officer
North America: 1-877-867-6642
Email: firstname.lastname@example.org 1
2 Concorde Place, Suite 800
Toronto, Ontario, M3C 3R8
alertdriving's Privacy Principles
Purpose for Personal Information Collection
Our Global Data Privacy and Information Security Principles define how alertdriving collects, uses, discloses and protects personally identifiable information. We will only collect, use and disclose the information that we need in order to adhere to our service level agreement with your employer to provide the following services:
Driver Safety Training;
Driver risk profiles (if applicable).
Obtaining ConsentWe will only collect, use, disclose and retain your Personal Information after obtaining your consent through our website or through your employer, except where otherwise permitted or required by law. If the purpose for which information was collected changes, we will obtain additional consent from you prior to further processing. You may choose not to provide us with any of your Personal Information; however, if you make this choice we may not be able to provide you with the product, service or information intended for you.
Withdrawal of ConsentSubject to reasonable notice, you may withdraw your consent at any time, unless the Personal Information is necessary for us to fulfill our legal requirements and similar obligations. To withdraw consent, simply contact us in writing and advise us of what Personal Information you no longer wish us to use.
With your consent, we may collect several different categories of information from you.
What data do we collect?
The type of information we usually collect and maintain may include your:
If your employer uses our platform to retrieve Motor Vehicle Record (MVR) Checks, we may also collect and maintain your:
Driver's License Number and State
Date of Birth
Our application uses "cookies". A cookie is a piece of data stored on a site visitor's hard drive to help us improve your access to our sites and identify repeat visitors to our sites. Cookies can also enable us to track the interests of our users to enhance the experience on our sites. We use strictly necessary cookies for session-based authentication to reference information about the user of our sites. Usage of our cookies is in no way linked to any personally identifiable information on our sites. Our websites do not use any targeting or advertising cookies.
We respect your privacy, you can choose not to allow some types of cookies. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
How do we collect it?
We may collect Personal Information from you through our direct pre-sales marketing efforts, our websites or from your Employer or its agents.
Where do we keep it?
We store all client data on hardware physically separated from the application with no direct Internet connectivity, and located in a separate, secure environment accessible only to authorized personnel. Our data centers are geographically redundant and located across Southern Ontario, Canada. Additionally, all PII for Russian citizens currently in Russia are also processed primarily and retained in a data center located in the Russian Federation, in compliance with the Russian data protection law.
Disclosure of Information
To whom is information disclosed or shared?
Your information may be disclosed to, or shared with the following entities:
Specially designated employees of your Employer ("Fleet Administrators"), who need access in order to fulfill their job functions. To find out who your designated Fleet Administrator is, you may send an email to email@example.com.
Our Channel Partners, if your Employer is a customer of theirs who resell our solution and services to your Employer.
All third party relationships are required to implement appropriate technical, physical, and administrative safeguards for Personal Information. alertdriving will never share your information with any third party for marketing purposes.
Who has access to or uses it?
All third party relationships are required to implement appropriate technical, physical, and administrative safeguards for Personal Information. alertdriving has entered into a written agreement with each sub-processor containing data protection obligations not less protective than those in the agreement with your employer, with respect to the protection of your data to the extent applicable to the nature of the services provided by such sub-processor.
Lawfully Limiting Personal Information
We will limit the collection of your Personal Information to only those details that are necessary for the purposes identified. Your Personal Information will only be used or disclosed for the purpose for which it was collected, unless you have otherwise consented, or when it is required or permitted by law. We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected.
Accuracy of Information
We will keep Personal Information we collect as accurate, complete and up-to-date as necessary to fulfill the purposes for which it was collected.
We have taken strong measures to ensure the security and confidentiality of your Personal Information. It is also important that you take all necessary precautions as well to help keep your Personal Information safe and secure at all times.
Client information is housed in ISO27001 certified datacentre facilities that are regularly audited in accordance with SSAE-18, SSAE-16, ISAE-3402, AND CSAE-3416. This ensures controls for security of information, human resources, and physical assets, among others, are properly designed and operating as expected. It will be maintained during the agreement duration. Controls are implemented to provide reasonable assurance that access to Data center facilities, computer equipment, media, storage areas and documentation is restricted to authorized personnel, and measures are in place and maintained for protection of computer equipment from environmental hazards.
alertdriving takes the following measures to ensure the physical safeguarding of your Personal Information.
Physical Access Restrictions
Our data centers employ on-premise 24X7 security guards. Security systems on the building exterior include cameras with digital recorders, false entrances, vehicle blockades, customized parking lot designs, bulletproof glass/walls and unmarked buildings. Portals and person-traps are in place to authenticate only one person at a time.
Personnel Access Policies
Access is granted only to Network Operations Center and Specialized Operations team members carrying photo ID access cards. Biometric systems including retina scanners are used throughout the building.
Centralized HVAC systems allow proper heat dissipation at all times. Modern fire suppression methods, augmented by heat detection and dry-pipe sprinkler systems, detect smoke from the earliest stage of combustion. Seismic isolation equipment is installed to cushion facilities against earthquake movement.
High capacity, redundant diesel generators guarantee power availability. In addition, multiple uninterruptible power source (UPS) systems are installed to eliminate fluctuations and to provide clean, continuous power.
alertdriving takes the following measures to ensure the safeguarding of your Personal Information within the application itself.
Our application utilizes separate and distinct Production, Database, Staging and Development environments. These environments communicate with restricted access control. Console access to the development server is limited to developers and root access is limited to system administrators. Login credentials are required to read and/or modify source code. Physical access to servers is limited only to authorized employees. Client data is not available for application development unless it has been appropriately sanitized.
Protocols and Encryptions
Data transmission between the system and the administrative users [and any other users transmitting Personally Identifiable Information] is done over a secure TLS connection. Strong cryptography and encryption techniques are used such as 256-bit (minimum 128-bit) Advanced Encryption Standard. alertdriving utilizes the Secure FTP data transfer protocol, along with optional PGP for all file transfers.
Security software and devices (firewalls, monitoring & logging, etc) are used to detect and prevent unauthorized access. Firewall rules are set to deny traffic with http/https as the only default open ports. Firewalls are configured in a hardened state, and formal change control processes are in place for all firewall configuration changes.
Access credentials at rest are stored in a database server that is behind a router and is only accessible from alertdriving's application server. The transmission of access credentials between the system and all users occurs over a secure TLS connection. Strong cryptography and encryption techniques are used - 256-bit TLS (minimum 128-bit) Advanced Encryption Standard.
Each user will be required to change their initial system generated password at time of first login. All passwords must contain at least eight characters, and contain numeric, uppercase and lowercase English alphabetic characters. The password should not contain the user's account name (case-insensitive). Software that controls password changes ensures that all passwords conform to security standards. All passwords are set to expire in 90 days. A system is in place that allows password resets. User credentials are stored in a database housed offline with no direct connectivity to the public Internet. Passwords are encrypted when stored at rest in the database and are never communicated via email, with the exception of system-generated passwords.
alertdriving employees are required to return all information stored on laptops and other portable devices or media, files, records, work papers, etc. prior to their departure. Employees are required to surrender all keys, IDs, access codes and badges which permit access to the premises or to Personal Information. Employee's remote electronic access is disabled, including his/her voicemail access and email access. All passwords are disabled immediately.
Fault Tolerance and Disaster Recovery
alertdriving takes the following measures to ensure your data is accessible by you at all times.
Our Data Centre Network Infrastructure is both redundant and fault tolerant. All routers, switches, and firewall devices are redundant with failover. The high performance network infrastructure provides high availability with multiple connections to all major Internet backbones.
A formal, documented, executive management approved disaster recovery plan is in place. In the event of a disaster at the primary data centre, traffic is re-routed to the recovery data centre where data is being continuously replicated at block level. Our recovery targets include a 15-minute RPO (Recovery Point Objective) and a 2-hour RTO (Recovery Time Objective).
Data Retention and Disposal
We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected, or as required by law. We may store your data in magnetic media (hard disks, tapes) in our secure data centre locations with appropriate safeguards. We will erase your data from the magnetic media, prior to disposal via secure means in a confidential manner.
Processing Individual Access Requests
Upon written request, you may access and verify your Personal Information and find out to whom we have disclosed it. At the time of your request, we will need specific information from you to verify your identity, before we can provide you with the Personal Information we hold. In addition, you must provide sufficient information in your request to allow us to identify the information you are seeking.
If you are a registered user, you can review the Driver Training Information that we have at any time by logging in to your account on the alertdriving website and navigating to the "My Activities Homepage" page.
Updating Personal Information
If your Personal Information changes, or if you no longer wish to use our service, you may contact your company's designated Fleet Administrators, who can correct, update or remove any personal data through our Application's Administrative Suite.
Communicating Breach Notification
We will notify your employer in any event of privacy breach in accordance with the severity mentioned in our service level agreement.
Third Party Privacy Audits
alertdriving conducts regular third party data security audits of its applications and infrastructure using leading information security service organizations. To date, no significant violations have been identified and the architecture has been categorized as being very secure and resilient against attack.
Complaint Response and Resolution
If you have questions or concerns regarding your privacy or Personal Information, we will take appropriate amending measures to resolve the situation if required, and inform you about the process.
We will respond within 30 days to any questions or concerns regarding your privacy or Personal Information. We will take appropriate amending measures to resolve the situation if required and inform you about the process.