To outline AlertDriving’s Global Data Privacy and Information Security Principles by defining how AlertDriving collects, uses, discloses and protects personally identifiable information.
2.0. Executive Management Accountability
AlertDriving has designated a senior management executive to oversee the company's compliance with Global Data Privacy and Information Security Principles. If you have questions or concerns regarding your privacy or Personal Information, you may contact us at the address listed below:
Omar Amlani, CIPP/IT
Vice-President, IT Operations and Data Privacy
250 Ferrand Drive, Suite 301
Toronto, Ontario, M3C 3G8
3.0. Our Commitment to Global Data Privacy Compliance
AlertDriving is committed to complying with all applicable privacy laws across the globe. This commitment is vital to our continued success as a Software as a Service Provider and reflects our desire to conduct business in accordance with the highest legal and ethical standards.
To fulfill this commitment, we have adopted the Privacy Principles established by the Canadian PIPEDA (the Personal Information Protection and Electronic Documents Act), which was largely influenced by the EU Data Protection Directive. In addition, we have implemented formal, documented and management-approved security controls based on the ISO27002 guidelines.
AlertDriving’s offices and dual data centres are located exclusively in Ontario, Canada, where the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect on January 1st, 2004. AlertDriving’s compliance with the PIPEDA brings it into compliance with the requirements of the European Commission's directive on data privacy, in countries including but not limited to Germany, France, Spain, Denmark, Belgium, Netherlands, Italy and the UK.
4.0. AlertDriving’s Privacy Principles
We will only collect, use and disclose the information that we need in order to adhere to our service level agreement with your employer to provide the following services:
4.2. Consent Obtainment
We will only collect, use, disclose and retain your Personal Information after obtaining your consent through our website or through your employer, except where otherwise permitted or required by law. If the purpose for which it was collected changes, we will obtain additional consent from you prior to using, disclosing and retaining Personal Information that was previously obtained.
You may choose not to provide us with any of your Personal Information; however, if you make this choice we may not be able to provide you with the product, service or information intended for you.
4.2.1. Withdrawal of Consent
Subject to reasonable notice, you may withdraw your consent at any time, unless the Personal Information is necessary for us to fulfill our legal requirements and similar obligations. If you withdraw your consent, we will inform you of the implications of such withdrawal. To withdraw consent, simply contact us in writing and advise us of what Personal Information you no longer wish us to use.
Customers who no longer wish to receive AlertDriving’s FleetAlert Magazine may opt-out of receiving these communications by replying with ‘unsubscribe’ in the subject line.
4.3. Identifying Information
With your consent, we may collect several different categories of information from you.
4.3.1. What data do we collect?
The type of information we usually collect and maintain may include your:
If your employer uses our platform to retrieve Motor Vehicle Record (MVR) Checks, we may also collect and maintain your:
Some of our users may purchase training modules by making a credit card payment through our website. In this situation, we will request payment information from you on our secure order form. To buy from us, you must provide your name and financial information, including credit card number and expiration date. We use this information for billing purposes and for processing your orders and dispose of the information once the transaction is completed.
Our application uses "cookies". A cookie is a piece of data stored on a site visitor's hard drive to help us improve your access to our site and identify repeat visitors to our site. Cookies can also enable us to track and target the interests of our users to enhance the experience on our site. Usage of a cookie is in no way linked to any personally identifiable information on our site.
4.3.2. How do we collect it?
We may collect Personal Information from you through our website or from your Employer or their agents.
4.3.3. Where do we keep it?
We store all client data on hardware physically separated from the application with no direct Internet connectivity, and located in a separate, secure environment accessible only to authorized personnel. Our data centres are geographically redundant and located in the Greater Toronto Area of Ontario, Canada.
4.4. Disclosure of Information
4.4.1. To whom is information disclosed or shared?
Your information may be disclosed to, or shared with the following entities:
All third party relationships are required to implement appropriate technical, physical, and administrative safeguards for Personal Information.
AlertDriving will never share your information with any third party for marketing purposes.
4.4.2. Who has access to or uses it?
AlertDriving employees who require specific access to your information in order to fulfill customer service requests from you or your Employer will have access to your information.
4.5. Lawfully Limiting Personal Information
We will limit the collection of your Personal Information to only those details that are necessary for the purposes identified.
Your Personal Information will only be used or disclosed for the purpose for which it was collected, unless you have otherwise consented, or when it is required or permitted by law. We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected.
4.6. Accuracy of Information
We will keep Personal Information we collect as accurate, complete and up-to-date as necessary to fulfill the purposes for which it was collected.
4.7. Data Protection
We have taken strong measures to ensure the security and confidentiality of your Personal Information. It is also important that you take all necessary precautions as well to help keep your Personal Information safe and secure at all times.
4.7.1. Physical Security
AlertDriving takes the following measures to ensure the physical safeguarding of your Personal Information.
22.214.171.124. Physical Access Restrictions
Our data centres employ on-premise 24X7 security guards. Security systems on the building exterior include cameras with digital recorders, false entrances, vehicle blockades, customized parking lot designs, bulletproof glass/walls and unmarked buildings. Portals and person-traps are in place that authenticate only one person at a time.
126.96.36.199. Personnel Access Policies
Access is granted only to Network Operations Center and Specialized Operations team members carrying photo ID access cards. Biometric systems including palm scanners are used throughout the building.
188.8.131.52. Environmental Protection
Centralized HVAC systems allow proper heat dissipation at all times. Modern fire suppression methods, augmented by heat detection and dry-pipe sprinkler systems, detect smoke from the earliest stage of combustion. Seismic isolation equipment is installed to cushion facilities against earthquake movement.
184.108.40.206. Redundant Power
High capacity, redundant diesel generators guarantee power availability. In addition, multiple uninterruptible power source (UPS) systems are installed to eliminate fluctuations and to provide clean, continuous power.
4.7.2. Data Security
AlertDriving takes the following measures to ensure the safeguarding of your Personal Information within the application itself.
220.127.116.11. Application Architecture
Our application utilizes separate and distinct Production, Database, Staging and Development environments. These environments communicate with restricted access control. Console access to the development server is limited to developers and root access is limited to system administrators. Login credentials are required to read and/or modify source code. Physical access to servers is limited only to authorized employees. Client data is not available for application development unless it has been appropriately sanitized.
18.104.22.168. Protocols and Encryptions
Data transmission between the system and the administrative users [and any other users transmitting Personally Identifiable Information] is done over a secure SSL connection. Strong cryptography and encryption techniques are used such as 256-bit (minimum 128-bit) Advanced Encryption Standard. AlertDriving utilizes the Secure FTP data transfer protocol, along with optional PGP for all file transfers.
22.214.171.124. Security Appliances
Security software and devices (firewalls, monitoring & logging, etc) are used to detect and prevent unauthorized access. Firewall rules are set to deny traffic with http/https as the only default open ports. Firewalls are configured in a hardened state, and formal change control processes are in place for all firewall configuration changes.
126.96.36.199.1. User Authentication
Access credentials at rest are stored in a database server that is behind a router and is only accessible from AlertDriving’s application server. The transmission of access credentials between the system and all users occurs over a secure SSL connection. Strong cryptography and encryption techniques are used – 256-bit SSL (minimum 128-bit) Advanced Encryption Standard.
188.8.131.52.2. Password Policies
Each user will be required to change their initial system generated password at time of first login. All passwords must contain at least eight characters, and contain numeric, uppercase and lowercase English alphabetic characters. The password should not contain the user’s account name (case-insensitive). Software that controls password changes ensures that all passwords conform to security standards. All passwords are set to expire in 90 days. A system is in place that allows password resets. The requestor must verify their unique employee ID and email address. User credentials are stored in a database housed offline with no direct connectivity to the public internet. Passwords are encrypted when stored at rest in the database and are never communicated via email, with the exception of system-generated passwords.
184.108.40.206. Employee Departure
AlertDriving employees are required to leave behind all information stored on laptops or other portable devices or media, files, records, work papers, etc. prior to their departure. Employees are required to surrender all keys, IDs, access codes and badges which permit access to the premises or to Personal Information. Employee’s remote electronic access is disabled, including his/her voicemail access and email access. All passwords are disabled immediately.
4.7.3. Fault Tolerance and Disaster Recovery
AlertDriving takes the following measures to ensure your data is accessible by you at all times.
220.127.116.11. Fault Tolerance
Our Data Centre Network Infrastructure is both redundant and fault tolerant. All routers, switches, and firewall devices are redundant with failover. The high performance network infrastructure provides high availability with multiple connections to all major Internet backbones.
18.104.22.168. Disaster Recovery
A formal, documented, executive management approved disaster recovery plan is in place. In the event of a disaster at the primary data centre, traffic is re-routed to the recovery data centre where data is being continuously replicated at block level. Our recovery targets include a 15-minute RPO (Recovery Point Objective) and a 30-minute RTO (Recovery Time Objective).
4.8. Data Retention and Disposal
We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected, or as required by law. We may store your data in magnetic media (hard disks, tapes) in our secure data centre locations with appropriate safeguards. We will erase your data from the magnetic media, prior to disposal via secure means in a confidential manner.
4.9. Processing Individual Access Requests
Upon written request, you may access and verify your Personal Information and find out to whom we have disclosed it. At the time of your request, we will need specific information from you to verify your identity, before we can provide you with the Personal Information we hold. In addition, you must provide sufficient information in your request to allow us to identify the information you are seeking.
If you are a registered user, you can review the Driver Training Information that we have at any time by logging in to your account on the AlertDriving website and navigating to the "My Activities Homepage" page.
4.10. Updating Personal Information
If your Personal Information changes, or if you no longer wish to use our service, you may contact your company’s designated Fleet Administrators, who can correct, update or remove any personal data through our Application’s Administrative Suite.
4.11. Communicating Breach Notification
We will notify your employer in any event of privacy breach in accordance with the severity mentioned in our service level agreement.
4.12. Third Party Privacy Audits
AlertDriving conducts regular third party data security audits of its applications and infrastructure using leading information security service organizations. To date, no significant violations have been identified and the architecture has been categorized as being very secure and resilient against attack.
4.13. Complaint Response and Resolution
If you have concerns or complaints about your privacy or Personal Information, you may contact us in writing with your specific concern along with your contact information. We will take appropriate amending measures to resolve the situation if required, and inform you about the process.