PRIVACY POLICY

1.0. Purpose

To outline AlertDriving’s Global Data Privacy and Information Security Principles by defining how AlertDriving collects, uses, discloses and protects personally identifiable information.

2.0. Executive Management Accountability

AlertDriving has designated a senior management executive to oversee the company's compliance with Global Data Privacy and Information Security Principles. If you have questions or concerns regarding your privacy or Personal Information, you may contact us at the address listed below:

Omar Amlani, CIPP/IT
Vice-President, IT Operations and Data Privacy
AlertDriving
250 Ferrand Drive, Suite 301
Toronto, Ontario, M3C 3G8
Canada

3.0. Our Commitment to Global Data Privacy Compliance

AlertDriving is committed to complying with all applicable privacy laws across the globe.  This commitment is vital to our continued success as a Software as a Service Provider and reflects our desire to conduct business in accordance with the highest legal and ethical standards.

To fulfill this commitment, we have adopted the Privacy Principles established by the Canadian PIPEDA (the Personal Information Protection and Electronic Documents Act), which was largely influenced by the EU Data Protection Directive.  In addition, we have implemented formal, documented and management-approved security controls based on the ISO27002 guidelines.

AlertDriving’s offices and dual data centres are located exclusively in Ontario, Canada, where the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect on January 1st, 2004. AlertDriving’s compliance with the PIPEDA brings it into compliance with the requirements of the European Commission's directive on data privacy, in countries including but not limited to Germany, France, Spain, Denmark, Belgium, Netherlands, Italy and the UK.

Although data privacy is not highly legislated or regulated in the US, several states have independently passed legislation regulating the collection, use and disclosure of Personal Information. For example, The California Online Privacy Protection Act of 2003 (OPPA), effective as of July 1, 2004, requires operators of commercial websites that collect personally identifiable information from California residents to conspicuously post and comply with a privacy policy. On March 1, 2010 Massachusetts passed a data privacy law that requires the encryption of both "data at rest" and "data in transit" over a public network, such as the Internet, when that data contains personally identifiable information.  AlertDriving regularly reviews all applicable state laws to ensure compliance at all times.

4.0. AlertDriving’s Privacy Principles

4.1.   Purpose

We will only collect, use and disclose the information that we need in order to adhere to our service level agreement with your employer to provide the following services:

  • Driver Safety Training;
  • Motor Vehicle Record (MVR) Reporting services (if applicable); and
  • Driver risk profiles (if applicable).

4.2.   Consent Obtainment

We will only collect, use, disclose and retain your Personal Information after obtaining your consent through our website or through your employer, except where otherwise permitted or required by law. If the purpose for which it was collected changes, we will obtain additional consent from you prior to using, disclosing and retaining Personal Information that was previously obtained.

You may choose not to provide us with any of your Personal Information; however, if you make this choice we may not be able to provide you with the product, service or information intended for you.

4.2.1. Withdrawal of Consent

Subject to reasonable notice, you may withdraw your consent at any time, unless the Personal Information is necessary for us to fulfill our legal requirements and similar obligations. If you withdraw your consent, we will inform you of the implications of such withdrawal. To withdraw consent, simply contact us in writing and advise us of what Personal Information you no longer wish us to use.

Customers who no longer wish to receive AlertDriving’s FleetAlert Magazine may opt-out of receiving these communications by replying with ‘unsubscribe’ in the subject line.

4.3.   Identifying Information

With your consent, we may collect several different categories of information from you.

4.3.1. What data do we collect?

The type of information we usually collect and maintain may include your:

  • Employee ID
  • Name
  • E-mail Address
  • Company Group
  • Language Preference

If your employer uses our platform to retrieve Motor Vehicle Record (MVR) Checks, we may also collect and maintain your:

  • Driver’s License Number and State
  • Date of Birth

Some of our users may purchase training modules by making a credit card payment through our website.  In this situation, we will request payment information from you on our secure order form. To buy from us, you must provide your name and financial information, including credit card number and expiration date.  We use this information for billing purposes and for processing your orders and dispose of the information once the transaction is completed.

Our application uses "cookies". A cookie is a piece of data stored on a site visitor's hard drive to help us improve your access to our site and identify repeat visitors to our site.  Cookies can also enable us to track and target the interests of our users to enhance the experience on our site. Usage of a cookie is in no way linked to any personally identifiable information on our site.

4.3.2. How do we collect it?

We may collect Personal Information from you through our website or from your Employer or their agents.

4.3.3. Where do we keep it?

We store all client data on hardware physically separated from the application with no direct Internet connectivity, and located in a separate, secure environment accessible only to authorized personnel. Our data centres are geographically redundant and located in the Greater Toronto Area of Ontario, Canada.

4.4.   Disclosure of Information

We will only use and disclose your Personal Information to fulfill the purposes for which it was collected and in accordance with this privacy policy. Any exception will be with your prior consent, or as may be permitted or required by law. In addition, we will keep your information only for as long as it is needed to fulfill the purposes for which it was collected, or as required by law, whichever is shorter.

4.4.1. To whom is information disclosed or shared?

Your information may be disclosed to, or shared with the following entities:

  • Specially designated employees of your Employer (“Fleet Administrators”), who need access in order to fulfill their job functions.  To find out who your designated Fleet Administrator is, you may send an email to support@alertdriving.com.
  • Our payment processor, if you purchase training modules by making a credit card payment through our website.
  • Our MVR data provider if your employer orders a Motor Vehicle Record for you. 

All third party relationships are required to implement appropriate technical, physical, and administrative safeguards for Personal Information.

AlertDriving will never share your information with any third party for marketing purposes.

4.4.2. Who has access to or uses it?

AlertDriving employees who require specific access to your information in order to fulfill customer service requests from you or your Employer will have access to your information.

4.5.   Lawfully Limiting Personal Information

We will limit the collection of your Personal Information to only those details that are necessary for the purposes identified.

Your Personal Information will only be used or disclosed for the purpose for which it was collected, unless you have otherwise consented, or when it is required or permitted by law. We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected.

4.6.   Accuracy of Information

We will keep Personal Information we collect as accurate, complete and up-to-date as necessary to fulfill the purposes for which it was collected.

4.7.   Data Protection

We have taken strong measures to ensure the security and confidentiality of your Personal Information. It is also important that you take all necessary precautions as well to help keep your Personal Information safe and secure at all times.

4.7.1. Physical Security

AlertDriving takes the following measures to ensure the physical safeguarding of your Personal Information.

4.7.1.1.   Physical Access Restrictions

Our data centres employ on-premise 24X7 security guards.  Security systems on the building exterior include cameras with digital recorders, false entrances, vehicle blockades, customized parking lot designs, bulletproof glass/walls and unmarked buildings.  Portals and person-traps are in place that authenticate only one person at a time.

4.7.1.2.   Personnel Access Policies

Access is granted only to Network Operations Center and Specialized Operations team members carrying photo ID access cards.  Biometric systems including palm scanners are used throughout the building.

4.7.1.3.   Environmental Protection

Centralized HVAC systems allow proper heat dissipation at all times.  Modern fire suppression methods, augmented by heat detection and dry-pipe sprinkler systems, detect smoke from the earliest stage of combustion.  Seismic isolation equipment is installed to cushion facilities against earthquake movement.

4.7.1.4.   Redundant Power

High capacity, redundant diesel generators guarantee power availability.  In addition, multiple uninterruptible power source (UPS) systems are installed to eliminate fluctuations and to provide clean, continuous power.

4.7.2. Data Security

AlertDriving takes the following measures to ensure the safeguarding of your Personal Information within the application itself.

4.7.2.1.   Application Architecture

Our application utilizes separate and distinct Production, Database, Staging and Development environments. These environments communicate with restricted access control. Console access to the development server is limited to developers and root access is limited to system administrators.  Login credentials are required to read and/or modify source code.  Physical access to servers is limited only to authorized employees.  Client data is not available for application development unless it has been appropriately sanitized.

4.7.2.2.   Protocols and Encryptions

Data transmission between the system and the administrative users [and any other users transmitting Personally Identifiable Information] is done over a secure SSL connection.  Strong cryptography and encryption techniques are used such as 256-bit (minimum 128-bit) Advanced Encryption Standard.  AlertDriving utilizes the Secure FTP data transfer protocol, along with optional PGP for all file transfers.

4.7.2.3.    Security Appliances

Security software and devices (firewalls, monitoring & logging, etc) are used to detect and prevent unauthorized access.  Firewall rules are set to deny traffic with http/https as the only default open ports. Firewalls are configured in a hardened state, and formal change control processes are in place for all firewall configuration changes.

4.7.2.4.   Authentication

4.7.2.4.1.   User Authentication

Access credentials at rest are stored in a database server that is behind a router and is only accessible from AlertDriving’s application server.  The transmission of access credentials between the system and all users occurs over a secure SSL connection. Strong cryptography and encryption techniques are used – 256-bit SSL (minimum 128-bit) Advanced Encryption Standard.

4.7.2.4.2.   Password Policies

Each user will be required to change their initial system generated password at time of first login. All passwords must contain at least eight characters, and contain numeric, uppercase and lowercase English alphabetic characters. The password should not contain the user’s account name (case-insensitive). Software that controls password changes ensures that all passwords conform to security standards.  All passwords are set to expire in 90 days.  A system is in place that allows password resets. The requestor must verify their unique employee ID and email address. User credentials are stored in a database housed offline with no direct connectivity to the public internet.  Passwords are encrypted when stored at rest in the database and are never communicated via email, with the exception of system-generated passwords.

4.7.2.5.   Employee Departure

AlertDriving employees are required to leave behind all information stored on laptops or other portable devices or media, files, records, work papers, etc. prior to their departure. Employees are required to surrender all keys, IDs, access codes and badges which permit access to the premises or to Personal Information. Employee’s remote electronic access is disabled, including his/her voicemail access and email access.  All passwords are disabled immediately.

4.7.3. Fault Tolerance and Disaster Recovery

AlertDriving takes the following measures to ensure your data is accessible by you at all times.

4.7.3.1.   Fault Tolerance

Our Data Centre Network Infrastructure is both redundant and fault tolerant. All routers, switches, and firewall devices are redundant with failover. The high performance network infrastructure provides high availability with multiple connections to all major Internet backbones.

4.7.3.2.   Disaster Recovery

A formal, documented, executive management approved disaster recovery plan is in place. In the event of a disaster at the primary data centre, traffic is re-routed to the recovery data centre where data is being continuously replicated at block level. Our recovery targets include a 15-minute RPO (Recovery Point Objective) and a 30-minute RTO (Recovery Time Objective).

4.8.   Data Retention and Disposal

We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected, or as required by law.  We may store your data in magnetic media (hard disks, tapes) in our secure data centre locations with appropriate safeguards.  We will erase your data from the magnetic media, prior to disposal via secure means in a confidential manner.

4.9.   Processing Individual Access Requests

Upon written request, you may access and verify your Personal Information and find out to whom we have disclosed it. At the time of your request, we will need specific information from you to verify your identity, before we can provide you with the Personal Information we hold. In addition, you must provide sufficient information in your request to allow us to identify the information you are seeking.

If you are a registered user, you can review the Driver Training Information that we have at any time by logging in to your account on the AlertDriving website and navigating to the "My Activities Homepage" page.

4.10. Updating Personal Information

If your Personal Information changes, or if you no longer wish to use our service, you may contact your company’s designated Fleet Administrators, who can correct, update or remove any personal data through our Application’s Administrative Suite.

4.11. Communicating Breach Notification

We will notify your employer in any event of privacy breach in accordance with the severity mentioned in our service level agreement.

4.12. Third Party Privacy Audits

AlertDriving conducts regular third party data security audits of its applications and infrastructure using leading information security service organizations. To date, no significant violations have been identified and the architecture has been categorized as being very secure and resilient against attack.

4.13. Complaint Response and Resolution

If you have concerns or complaints about your privacy or Personal Information, you may contact us in writing with your specific concern along with your contact information. We will take appropriate amending measures to resolve the situation if required, and inform you about the process.