Privacy commitment and policy
Our Commitment to Global Data Privacy Compliance
Alertdriving is committed to complying with all applicable privacy laws across the globe. This commitment is vital to our continued success as a Software-as-a-Service Provider and reflects our desire to conduct business in accordance with the highest legal and ethical standards. To fulfill this commitment, we have adopted the Privacy Principles established by the Canadian PIPEDA (the Personal Information Protection and Electronic Documents Act), . In addition, we have implemented formal, documented and management-approved security controls based on the ISO27002 guidelines. Alertdriving's offices and dual data centers are located exclusively in Ontario, Canada, where the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect on January 1st, 2004. Alertdriving's compliance with the PIPEDA brings it into compliance with the requirements of the GDPR, which covers 27 European countries including but not limited to Germany, France, Spain, Denmark, Belgium, Netherlands, and Italy. alertdrivng will be in compliance with the new Privacy Laws from China (Personal Information Protection Law of the People’s Republic of China – PIPL), Brazil (LGPD – English translation General Data Protection Law) and India’s (Personal Data Protection PDP) that have or will come into effect. Although data privacy is not centrally legislated or regulated in the US, several states have independently passed legislation regulating the collection, use and disclosure of Personal Information. For example, The California Consumer Privacy Act (CCPA), effective as of January 1, 2020, requires operators of commercial websites that collect personally identifiable information from California residents to conspicuously post and comply with a privacy policy. The Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00) was passed on March 1, 2010, by the state of Massachusetts. It is a data privacy law that requires the encryption of both "data at rest" and "data in transit" over a public network, such as the Internet, when that data contains personally identifiable information. Alertdriving regularly reviews all applicable state laws to ensure compliance at all times.
Executive Management Accountability
Alertdriving has designated a senior management executive to oversee the company's compliance with Global Data Privacy and Information Security Principles. If you have questions or concerns regarding your privacy or Personal Information, you may contact us at the address listed below:
Chief Privacy Officer
Alertdriving
North America: 1-877-867-6642
International: 001-416-750-0210
Fax: 416-750-7862
Email: privacy@alertdriving.com
2 Concorde Place, Suite 800
Toronto, Ontario, M3C 3R8
Canada
Alertdriving's Privacy Principles
Purpose for Personal Information Collection
Our Global Data Privacy and Information Security Principles define how Alertdriving collects, uses, discloses and protects personally identifiable information. We will only collect, use and disclose the information that we need in order to adhere to our service level agreement with your employer to provide the following services:
-
Driver Safety Training;
-
Driver risk profiles (if applicable).
Obtaining ConsentWe will only collect, use, disclose and retain your Personal Information after obtaining your consent through our website or through your employer, except where otherwise permitted or required by law. If the purpose for which information was collected changes, we will obtain additional consent from you prior to further processing. You may choose not to provide us with any of your Personal Information; however, if you make this choice we may not be able to provide you with the product, service or information intended for you.
Withdrawal of ConsentSubject to reasonable notice, you may withdraw your consent at any time, unless the Personal Information is necessary for us to fulfill our legal requirements and similar obligations. To withdraw consent, simply contact us in writing and advise us of what Personal Information you no longer wish us to use.
Identifying Information
With your consent, we may collect several different categories of information from you.
What data do we collect?
The type of information we usually collect and maintain may include your:
-
Employee ID
-
Name
-
E-mail Address
-
Company Group
-
Language Preference
-
IP Address
If your employer uses our platform to retrieve Motor Vehicle Record (MVR) Checks, we may also collect and maintain your:
-
Driver's License Number and State
-
Date of Birth
Our application uses "cookies". A cookie is a piece of data stored on a site visitor's hard drive to help us improve your access to our sites and identify repeat visitors to our sites. Cookies can also enable us to track the interests of our users to enhance the experience on our sites. We use strictly necessary cookies for session-based authentication to reference information about the user of our sites. Usage of our cookies is in no way linked to any personally identifiable information on our sites. Our websites do not use any targeting or advertising cookies.
We respect your privacy, you can choose not to allow some types of cookies. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
How do we collect it?
We may collect Personal Information from you through our direct pre-sales marketing efforts, our websites or from your Employer or its agents.
Where do we keep it?
We store all client data on hardware physically separated from the application with no direct Internet connectivity, and located in a separate, secure environment accessible only to authorized personnel. Our data centers are geographically redundant and located across Southern Ontario, Canada. Additionally, all PII for Russian citizens currently in Russia are also processed primarily and retained in a data center located in the Russian Federation, in compliance with the Russian data protection law.
Disclosure of Information
We will only use, disclose and process your Personal Information to fulfill the purposes for which it was collected, in accordance with this privacy policy. Any exception will be with your prior consent, or as may be permitted or required by law. In addition, we will keep your information only for as long as it is needed to fulfill the purposes for which it was collected, or as required by law, whichever is shorter.
To whom is information disclosed or shared?
Your information may be disclosed to, or shared with the following entities:
-
Specially designated employees of your Employer ("Fleet Administrators"), who need access in order to fulfill their job functions. To find out who your designated Fleet Administrator is, you may send an email to support@alertdriving.com.
-
Our Channel Partners, if your Employer is a customer of theirs who resell our solution and services to your Employer.
All third party relationships are required to implement appropriate technical, physical, and administrative safeguards for Personal Information. Alertdriving will never share your information with any third party for marketing purposes.
Who has access to or uses it?
All third party relationships are required to implement appropriate technical, physical, and administrative safeguards for Personal Information. Alertdriving has entered into a written agreement with each sub-processor containing data protection obligations not less protective than those in the agreement with your employer, with respect to the protection of your data to the extent applicable to the nature of the services provided by such sub-processor.
Lawfully Limiting Personal Information
We will limit the collection of your Personal Information to only those details that are necessary for the purposes identified. Your Personal Information will only be used or disclosed for the purpose for which it was collected, unless you have otherwise consented, or when it is required or permitted by law. We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected.
Accuracy of Information
We will keep Personal Information we collect as accurate, complete and up-to-date as necessary to fulfill the purposes for which it was collected.
Data Protection
We have taken strong measures to ensure the security and confidentiality of your Personal Information. It is also important that you take all necessary precautions as well to help keep your Personal Information safe and secure at all times.
Client information is housed in ISO27001 certified datacentre facilities that are regularly audited in accordance with SSAE-18, SSAE-16, ISAE-3402, AND CSAE-3416. This ensures controls for security of information, human resources, and physical assets, among others, are properly designed and operating as expected. It will be maintained during the agreement duration. Controls are implemented to provide reasonable assurance that access to Data center facilities, computer equipment, media, storage areas and documentation is restricted to authorized personnel, and measures are in place and maintained for protection of computer equipment from environmental hazards.
Physical Security
Alertdriving takes the following measures to ensure the physical safeguarding of your Personal Information.
Physical Access Restrictions
Our data centers employ on-premise 24X7 security guards. Security systems on the building exterior include cameras with digital recorders, false entrances, vehicle blockades, customized parking lot designs, bulletproof glass/walls and unmarked buildings. Portals and person-traps are in place to authenticate only one person at a time.
Personnel Access Policies
Access is granted only to Network Operations Center and Specialized Operations team members carrying photo ID access cards. Biometric systems including retina scanners are used throughout the building.
Environmental Protection
Centralized HVAC systems allow proper heat dissipation at all times. Modern fire suppression methods, augmented by heat detection and dry-pipe sprinkler systems, detect smoke from the earliest stage of combustion. Seismic isolation equipment is installed to cushion facilities against earthquake movement.
Redundant Power
High capacity, redundant diesel generators guarantee power availability. In addition, multiple uninterruptible power source (UPS) systems are installed to eliminate fluctuations and to provide clean, continuous power.
Data Security
Alertdriving takes the following measures to ensure the safeguarding of your Personal Information within the application itself.
Application Architecture
Our application utilizes separate and distinct Production, Database, Staging and Development environments. These environments communicate with restricted access control. Console access to the development server is limited to developers and root access is limited to system administrators. Login credentials are required to read and/or modify source code. Physical access to servers is limited only to authorized employees. Client data is not available for application development unless it has been appropriately sanitized.
Protocols and Encryptions
Data transmission between the system and the administrative users [and any other users transmitting Personally Identifiable Information] is done over a secure TLS connection. Strong cryptography and encryption techniques are used such as 256-bit (minimum 128-bit) Advanced Encryption Standard. Alertdriving utilizes the Secure FTP data transfer protocol, along with optional PGP for all file transfers.
Security Appliances
Security software and devices (firewalls, monitoring & logging, etc) are used to detect and prevent unauthorized access. Firewall rules are set to deny traffic with http/https as the only default open ports. Firewalls are configured in a hardened state, and formal change control processes are in place for all firewall configuration changes.
User Authentication
Access credentials at rest are stored in a database server that is behind a router and is only accessible from Alertdriving's application server. The transmission of access credentials between the system and all users occurs over a secure TLS connection. Strong cryptography and encryption techniques are used - 256-bit TLS (minimum 128-bit) Advanced Encryption Standard.
Password Policies
Each user will be required to change their initial system generated password at time of first login. All passwords must contain at least eight characters, and contain numeric, uppercase and lowercase English alphabetic characters. The password should not contain the user's account name (case-insensitive). Software that controls password changes ensures that all passwords conform to security standards. All passwords are set to expire in 90 days. A system is in place that allows password resets. User credentials are stored in a database housed offline with no direct connectivity to the public Internet. Passwords are encrypted when stored at rest in the database and are never communicated via email, with the exception of system-generated passwords.
Employee Departure
Alertdriving employees are required to return all information stored on laptops and other portable devices or media, files, records, work papers, etc. prior to their departure. Employees are required to surrender all keys, IDs, access codes and badges which permit access to the premises or to Personal Information. Employee's remote electronic access is disabled, including his/her voicemail access and email access. All passwords are disabled immediately.
Fault Tolerance and Disaster Recovery
Alertdriving takes the following measures to ensure your data is accessible by you at all times.
Fault Tolerance
Our Data Centre Network Infrastructure is both redundant and fault tolerant. All routers, switches, and firewall devices are redundant with failover. The high performance network infrastructure provides high availability with multiple connections to all major Internet backbones.
Disaster Recovery
A formal, documented, executive management approved disaster recovery plan is in place. In the event of a disaster at the primary data centre, traffic is re-routed to the recovery data centre where data is being continuously replicated at block level. Our recovery targets include a 15-minute RPO (Recovery Point Objective) and a 2-hour RTO (Recovery Time Objective).
Data Retention and Disposal
We will only retain your Personal Information for the period of time required to fulfill the purposes for which it was collected, or as required by law. We may store your data in magnetic media (hard disks, tapes) in our secure data centre locations with appropriate safeguards. We will erase your data from the magnetic media, prior to disposal via secure means in a confidential manner.
Processing Individual Access Requests
Upon written request, you may access and verify your Personal Information and find out to whom we have disclosed it. At the time of your request, we will need specific information from you to verify your identity, before we can provide you with the Personal Information we hold. In addition, you must provide sufficient information in your request to allow us to identify the information you are seeking.
If you are a registered user, you can review the Driver Training Information that we have at any time by logging in to your account on the Alertdriving website and navigating to the "My Activities Homepage" page.
Updating Personal Information
If your Personal Information changes, or if you no longer wish to use our service, you may contact your company's designated Fleet Administrators, who can correct, update or remove any personal data through our Application's Administrative Suite.
Communicating Breach Notification
We will notify your employer in any event of privacy breach in accordance with the severity mentioned in our service level agreement.
Third Party Privacy Audits
Alertdriving conducts regular third party data security audits of its applications and infrastructure using leading information security service organizations. To date, no significant violations have been identified and the architecture has been categorized as being very secure and resilient against attack.
Complaint Response and Resolution
If you have questions or concerns regarding your privacy or Personal Information, we will take appropriate amending measures to resolve the situation if required, and inform you about the process.
We will respond within 30 days to any questions or concerns regarding your privacy or Personal Information. We will take appropriate amending measures to resolve the situation if required and inform you about the process.