https://images.prismic.io/tripshot-new/f9f39386-680a-45dd-b261-0a9859953ac1_TripShot%20Security%20White%20Paper%20Web%20Image_112223.png?ixlib=gatsbyFP&auto=compress%2Cformat&fit=max

Security at TripShot

Protecting the future of mobility with the highest standards

Introduction

TripShot’s mission is to simplify transit management and to increase efficiency.

Putting in place the proper safeguards to keep your data secure is one of our top priorities. We’re committed to utilizing state- of-the-art technology and the highest standards to maintain that goal. We will always be transparent and communicate our processes and help you feel confident in our strategy and approach.

Organizational Security

TripShot’s industry-leading security program is based on a layered approach with emphasis on security, segmentation, verification and redundancy. Our security policies are ISO 27001 certified from an independent third-party auditor. We practice AICPA Trust Service Principles and NIST standards. As with the nature of security, we adapt to the most recent threats and evolve our strategy to continually protect your data. TripShot’s security team is headed by our Chief Security Officer (CSO) and a team of knowledgeable experts to manage threats, perform risk analysis and regularly evaluate our mechanisms. Our focus is to combine Engineering, Network Architecture, Product Security, Information Security, Detection and Response with Risk and Compliance to have the best combination for success.

Protecting Customer Data

The focus of TripShot’s security program is to implement perimeter controls, strict authentication, data segmentation, data integrity checks and real-time replication for data availability. We have spent years improving our infrastructure and have put in place hundreds of controls to mitigate risks and reduce threats. We are committed to an ongoing effort to always improve on our workflow and build upon our enterprise level security program.

Securing by Design

TripShot’s engineering team and security team have built a strong development cycle which includes open-source platforms with a strong support community. We realize that the security atmosphere is forever changing and that a platform with a fast acting support community is best leveraged to provide the quickest response with a large scope of resources. In addition, we will develop our platforms with industry leading detection programs and bug- scanning utilities. Our development process incorporates a strict change control mechanism and quality assurance check on every step of development and release.

Encryption

DATA IN TRANSIT

All data transmitted between TripShot infrastructure and user interfaces utilize strong encryption protocols. TripShot supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures.

DATA AT REST

Data at rest in TripShot’s development and production infrastructure is encrypted using SSL compliant encryption standards, which applies to all types of data at rest within our databases, data storage and backup facilities. All encryption keys are stored in a secure server on a segregated network with very limited access. TripShot has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Each TripShot customer’s data is hosted in our managed cloud solution and logically separated from other customer data. We use a distributed storage strategy to ensure all data is protected from hardware failure, network outages and can quickly failover our platform to another region of the country. The TripShot infrastructure is hosted on SSAE 16, SOC-1, SOC-2 and ISO 27001 certified infrastructure. Our industry-leading service providers offer state-of-the-art physical protection as well as dynamic resource allocation for future-proof scalability.

Network Security & Server Hardening

TripShot divides systems into separate network segments for better protection and custom management. Development and testing environments are logically managed to vet all bugs and vulnerabilities before being applied to the TripShot production environment. All systems in the TripShot infrastructure are hardened (e.g, disabling unnecessary ports, removing default passwords, etc) and have a consistent baseline configuration to provide the highest level of consistency. Access to customer data is always restricted to a very small subset of employees with proper logging and verification. Only essential ports necessary for TripShot services are enabled on the perimeter and there are safeguards against denial of service (DDoS) attacks as well as regular third-party penetration testing. TripShot logs, monitors, and audits all elevate system commands and have alerting in place for system calls that indicate a potential intrusion.

Endpoint Security

All workstations issued to TripShot employees are configured by TripShot IT to comply with our standards for security. These standards ensure that every system is provided with proper anti-virus, malware and security tracking programs to provide the highest level of protection. All TripShot workstations used to engage in company business are required to be enrolled in the appropriate device management system to ensure they meet TripShot’s security requirements.

Access Control

PROVISIONING

To minimize the risk of data exposure, TripShot has implemented a role-based permission system and auditing schedule. Only necessary access is given to every job role within the company and permission is only allocated to fulfill their current job responsibilities. All development, testing and production access is reviewed at least quarterly.

AUTHENTICATION

To further reduce the risk of unauthorized access to data, TripShot has deployed multi-factor authentication for access to any system that contains highly classified data, including our production environment. Unique usernames, encrypted keys, rotating/strong passwords and system access logging are just a few of the authentication mechanisms we employ.

PASSWORD MANAGEMENT

TripShot requires all employees to use an approved corporate password manager. Password managers generate, store, and enter unique and complex passwords to avoid password reuse, phishing, and other password-related risks.

Data Retention and Disposal

Customer data is removed upon termination of service or upon request of customer administrators. TripShot can de-identify customer data before deletion and is compliant with General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) requirements and has implemented processes for users to request their data be deleted.

Disaster Recovery & Business Continuity Plan

TripShot has put in place a robust Disaster Recovery and Business Continuity Plan for corporate and customer data. All data
in development, testing and production environments are replicated to a cold- standby backup facility in a different region of the United States.

This mitigates the loss of connectivity, power infrastructure, and other common location-specific failures. Full backups
are saved to this backup facility remote location at least once per day and transactions are saved continuously. TripShot performs a full test of backup and recovery procedures at least bi-yearly with a data integrity review every month.

Responding to Security Incidents

TripShot has established policies and procedures (also known as Standard Operating Procedures - SOPs) for responding to potential security incidents. All security incidents are managed by TripShot’s dedicated Detection and Response Team. The SOPs define the types of events that must be managed via the incident response process and classifies them based on severity. In the event of an incident, affected customers will be informed via email from our customer experience team. Incident response procedures are tested and updated at least annually.

Vendor Management

To maximize efficiency, TripShot relies on market-leading sub-
service organizations. Where those sub-service organizations may impact the security of TripShot’s infrastructure, we take strong and appropriate steps to ensure our security standard is consistently maintained by our vendors. All sub-service organizations must adhere to confidentiality commitments we have made to users. TripShot monitors the effective operation of the organization’s safeguards by conducting regular reviews of all vendors at least yearly.

Conclusion

TripShot is committed to providing a safe and secure environment for your data.

Every customer deserves to have transparency and clarity on how their data is handled and protected. TripShot’s ongoing mission will be to maintain and improve upon our market-leading security culture. Please feel free to contact your sales representative or account manager if you have any questions or concerns about your data.

We look forward to working with you to provide the safest possible environment for your data.