Privacy Commitment and Policy

Privacy Commitment and Policy

Privacy Commitment and Policy

Our Commitment to Global Data Privacy Compliance

alertdriving is committed to complying with all applicable privacy laws across the globe. This commitment is vital to our continued success as a software-as-a-service provider and reflects our desire to conduct business in accordance with the highest legal and ethical standards. To fulfill this commitment, we have adopted the privacy principles set out in the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). In addition, we have implemented formal, documented, and management-approved security controls based on the ISO27002 guidelines. alertdriving's offices and dual data centers are located exclusively in Ontario, Canada, where PIPEDA went into effect on January 1st, 2004. alertdriving's compliance with PIPEDA brings it into compliance with the requirements of the Global Data Privacy Regulations (GDPR), which covers 27 European countries including but not limited to Germany, France, Spain, Denmark, Belgium, Netherlands, and Italy. alertdrivng will ensure compliance with all privacy laws that have or will come into effect, including China's Personal Information Protection Law of the People’s Republic of China (PIPL), Brazil's General Data Protection Law (LGPD), and India’s Personal Data Protection (PDP). Although data privacy is not centrally legislated or regulated in the US, several states have independently passed legislation regulating the collection, use, and disclosure of personal information. These include the California Consumer Privacy Act (CCPA), effective January 1st, 2020, which requires operators of commercial websites that collect personally identifiable information from California residents to conspicuously post and comply with a privacy policy, and the Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00), effective March 1st, 2010, enacted by the Commonwealth of Massachusetts, which require encryption of both data at rest and data in transit over a public network, such as the internet, when that data contains personally identifiable information. alertdriving regularly reviews all applicable state laws to ensure compliance at all times. 

Executive Management Accountability

alertdriving has designated a senior management executive to oversee the company's compliance with global data privacy and information security principles. If you have questions or concerns regarding your privacy or personal information, you may contact us through one of the following channels: 

Phone (North America): 1-877-867-6642

Phone (International): 1-416-750-0210

Email: privacy@alertdriving.com

​alertdriving's Privacy Principles

Purpose of Personal Information Collection

alertdriving's global data privacy and information security principles define how we collect, use, disclose, and protect personally identifiable information. We will only collect, use, and disclose the information that we need in order to adhere to our service level agreement with your employer to provide the following services: 

  • Driver Safety Training

  • Driver risk profiles (if applicable)

Obtaining Consent

alertdriving will only collect, use, disclose, and retain your personal information after obtaining your consent through our website or through your employer, except where otherwise permitted or required by law. If the purpose for which information was collected changes, we will obtain additional consent from you prior to further processing. You may choose not to provide us with any of your personal information; however, if you make this choice, we may not be able to provide you with the product, service, or information intended for you. 

Withdrawal of Consent

Subject to reasonable notice, you may withdraw your consent at any time, unless the personal information is necessary for us to fulfill our legal requirements and similar obligations. To withdraw consent, simply contact us regarding the personal information you no longer wish us to use.

Identifying Information

With your consent, we may collect several different categories of information from you. 

What Data Do We Collect?

The type of information we usually collect and maintain may include your: 

  • Employee ID 

  • Name 

  • E-mail Address 

  • Company Group 

  • Language Preference 

  • IP Address 

If your employer uses our platform to retrieve Motor Vehicle Record (MVR) Checks, we may also collect and maintain your: 

  • Driver's License Number and State 

  • Date of Birth

Cookie Use

alertdriving uses cookies. A cookie is a small piece of data stored on a visitor's hard drive that helps us improve access to our site and recognize repeat visitors. Cookies allow us to understand user interests so we can enhance the overall site experience.

We use strictly necessary cookies for session-based authentication and to reference information about users of our site. The cookies we use are not linked to any personally identifiable information. Our site dos not use any targeting or advertising cookies.

You can choose not to allow certain types of cookies. However, blocking some cookies may affect your experience on the site and limit the services we are able to provide.

How Do We Collect Data? 

Personal information may be collected through our site, our direct pre-sales marketing efforts, or from your employer or its agents. 

Where Do We Keep Your Data? 

We store all client data on hardware physically separated from the application with no direct internet connectivity, and located in a separate, secure environment accessible only to authorized personnel. Our data centers are geographically redundant and located across Southern Ontario, Canada. Additionally, all PII for Russian citizens currently in Russia are also processed primarily and retained in a data center located in the Russian Federation, in compliance with the Russian data protection law. 

Disclosure of Information 

We will only use, disclose, and process your personal information to fulfill the purposes for which it was collected, in accordance with this privacy policy. Any exception will be with your prior consent, or as may be permitted or required by law. In addition, we will keep your information only for as long as it is needed to fulfill the purposes for which it was collected, or as required by law, whichever is shorter. 

To Whom is Information Disclosed or Shared? 

Your information may be disclosed to, or shared with, the following entities: 

  • Specially designated employees of your employer ("Fleet Administrators"), who need access in order to fulfill their job functions. To find out who your designated Fleet Administrator is, you may send an email to support@alertdriving.com

  • Our Channel Partners, if your employer is a customer of theirs who resell our solution and services to your employer. 

All third-party relationships are required to implement appropriate technical, physical, and administrative safeguards for personal information. alertdriving will never share your information with any third-party for marketing purposes. 

Lawfully Limiting Personal Information

We will limit the collection of your personal information to only those details that are necessary for the purposes identified. Your personal information will only be used or disclosed for the purpose for which it was collected, unless you have otherwise consented, or when it is required or permitted by law. We will only retain your personal information for the period of time required to fulfill the purposes for which it was collected. 

Accuracy of Information 

We will keep personal information we collect as accurate, complete, and up-to-date as necessary to fulfill the purposes for which it was collected. 

Data Protection 

We have taken strong measures to ensure the security and confidentiality of your personal information. It is also important that you take all necessary precautions as well to help keep your personal information safe and secure at all times. 

Client information is housed in ISO27001 certified datacentre facilities that are regularly audited in accordance with SSAE-18, SSAE-16, ISAE-3402, AND CSAE-3416. This ensures controls for security of information, human resources, and physical assets, among others, are properly designed and operating as expected. It will be maintained during the agreement duration. Controls are implemented to provide reasonable assurance that access to data center facilities, computer equipment, media, storage areas, and documentation is restricted to authorized personnel, and measures are in place and maintained for protection of computer equipment from environmental hazards. 

Physical Security 

alertdriving takes the following measures to ensure the physical safeguarding of your personal information. 

Physical Access Restrictions 

Our data centers employ 24/7 on-premises security guards. Security systems on the building exterior include cameras with digital recorders, false entrances, vehicle blockades, customized parking lot designs, bulletproof glass/walls, and unmarked buildings. Portals and person-traps are in place to authenticate only one person at a time. 

Personnel Access Policies

Access is granted only to Network Operations Center and Specialized Operations team members carrying photo ID access cards. Biometric systems including retina scanners are used throughout the building. 

Environmental Protection

Centralized HVAC systems allow proper heat dissipation at all times. Modern fire suppression methods, augmented by heat detection and dry-pipe sprinkler systems, detect smoke from the earliest stage of combustion. Seismic isolation equipment is installed to cushion facilities against earthquake movement. 

Redundant Power

High capacity, redundant diesel generators guarantee power availability. In addition, multiple uninterruptible power source (UPS) systems are installed to eliminate fluctuations and to provide clean, continuous power. 

Data Security

alertdriving takes the following measures to ensure the safeguarding of your personal information. 

Application Architecture

Our application utilizes separate and distinct Production, Database, Staging, and Development environments. Access between these environments is restricted by access controls. Console access to the Development server is limited to developers, and root access is limited to system administrators. Login credentials are required to read and/or modify source code. Physical access to servers is limited to authorized employees only. Client data is not available for application development unless it has been appropriately sanitized. 

Protocols and Encryptions 

Data transmission between the system and the administrative users, as well as any other users transmitting personally identifiable information, is conducted over a secure TLS connection. Strong cryptography and encryption techniques are used, such as the Advanced Encryption Standard (AES) with 256-bit encryption (minimum 128-bit). alertdriving utilizes the secure FTP data transfer protocol, along with optional PGP for all file transfers.​

Security Appliances

Security software and devices (firewalls, monitoring, and logging, etc.) are used to detect and prevent unauthorized access. Firewall rules are set to deny traffic with http/https as the only default open ports. Firewalls are configured in a hardened state, and formal change control processes are in place for all firewall configuration changes. 

User Authentication

Access credentials at-rest are stored in a database server that is behind a router and is only accessible from alertdriving's application server. The transmission of access credentials between the system and all users occurs over a secure TLS connection. Strong cryptography and encryption techniques are used, such as AES with 256-bit encryption (minimum 128-bit). 

Password Policies

Each user will be required to change their initial system generated password at time of first login. All passwords must contain at least eight characters, as well as numeric digits and uppercase and lowercase English letters. The password should not contain the user's account name (case-insensitive). Software that controls password changes ensures that all passwords conform to security standards. All passwords are set to expire in 90 days. A system is in place that allows password resets. User credentials are stored in a database housed offline with no direct connectivity to the public internet. Passwords are encrypted when stored at rest in the database and are never communicated via email, with the exception of system-generated passwords. 

Employee Departure

alertdriving employees are required to return all information stored on laptops and other portable devices or media, files, records, work papers, etc. prior to their departure. Employees are required to surrender all keys, IDs, access codes, and badges which permit access to the premises or to personal information. The employee's remote electronic access is disabled, including their voicemail access and email access. All passwords are disabled immediately. 

Fault Tolerance and Disaster Recovery

alertdriving takes the following measures to ensure your data is accessible by you at all times. 

Fault Tolerance 

Our data center network infrastructure is both redundant and fault-tolerant. All routers, switches, and firewall devices are redundant with failover. The high-performance network infrastructure provides high availability, with multiple connections to all major internet backbones. 

Disaster Recovery

A formal, documented, executive management approved disaster recovery plan is in place. In the event of a disaster at the primary data center, traffic is re-routed to the recovery data centre where data is being continuously replicated at block level. Our recovery targets include a 15-minute Recovery Point Objective (RPO) and a 2-hour Recovery Time Objective (RTO). 

Other Important Information

Data Retention and Disposal

We will only retain your personal information for the period of time required to fulfill the purposes for which it was collected, or as required by law. We may store your data in magnetic media (hard disks, tapes) in our secure data centre locations with appropriate safeguards. We will erase your data from the magnetic media prior to disposal via secure means in a confidential manner. 

Processing Individual Access Requests

Upon written request, you may access and verify your personal information and find out to whom we have disclosed it. At the time of your request, we will need specific information from you to verify your identity before we can provide you with the personal information we hold. In addition, you must provide sufficient information in your request to allow us to identify the information you are seeking. 

If you are a registered user, you can review the driver training information that we have on file at any time by logging in to your account on the alertdriving website and navigating to "My Activities." 

Updating Personal Information 

If your personal information changes, or if you no longer wish to use our service, you may contact your company's designated Fleet Administrators, who can correct, update, or remove any personal data through our application's administrative suite. 

Communicating Breach Notification

We will notify your employer in any event of privacy breach in accordance with the severity mentioned in our service level agreement.

Third-Party Privacy Audits

alertdriving conducts regular third-party data security audits of its applications and infrastructure using leading information security service organizations. To date, no significant violations have been identified and the architecture has been categorized as being very secure and resilient against attack. 

Complaint Response and Resolution 

If you have questions or concerns regarding your privacy or personal information, we will respond to these questions or concerns within 30 days. When required, we will take appropriate amending measures to resolve the situation and will keep you informed about the process.