Policy Banner

Scootcabs.ca Legal Portal

Overview

Legal

Last Updated: January 12, 2024

INTRODUCTION

1.1 Purpose

The purpose of this Information Security Policy (this “Policy”) is to establish a comprehensive framework for protecting the integrity, confidentiality, and availability of information within the operations of the SCOOT CAB app and associated platforms. As a trusted provider in the transportation industry, ensuring riders and end-users (collectively “users”), and all critical systems’ data security and privacy is paramount in maintaining stakeholders’ trust and confidence.

1.2 Scope

This Policy applies to all employees, contractors, partners, and all parties who have access to the information assets and systems supporting the SCOOT CAB app. It comprises the entire information cycle – from collection and processing to storage and deletion.

1.3 Objectives

The main objectives of this Policy are to:

  • Safeguard sensitive information from disclosure, unauthorized access, alteration, and destruction.
  • Ensure the availability and reliability of systems and services critical to the operation of the SCOOT CAB app.
  • Comply with all applicable and relevant privacy laws and industry regulations.
  • Foster a security-aware culture among employees and stakeholders.

1.4 Overview

The SCOOT CAB app provides seamless transportation services for a lot of users daily. As we embrace technological advancements and the digital transformation of the transportation industry, the importance of robust information security practices cannot be overemphasized. This Policy provides a set of standards and guidelines to mitigate potential risks, secure our digital assets, and respond to incidents effectively.

Information security is a shared responsibility, and all persons interacting with the SCOOT CAB app ecosystem are expected to comply with the principles outlined in this Policy. Regular training, proactive measures, and communication will be implemented to ensure ongoing compliance.

By complying with this Policy, we demonstrate our commitment to protecting our users’ trust, and we are maintaining the integrity of SCOOT CAB and the information it processes.

Information Classification and Handling

2.1 Classification levels

All information within the SCOOT CAB app ecosystem shall be classified according to their sensitivity and criticality. The below classification level is established:

  • Public information: Intended for public disclosure. No special handling or measures are necessary.
  • Internal information: Information to be used internally within the organization. Only authorized personnel may access it.
  • Confidential information: highly sensitive information requiring the highest level of safeguard. Access is limited to individuals with legitimate needs and proper authority.

2.2 Access controls

Access controls matching the classification levels outlined above will be implemented to ensure the integrity and confidentiality of information. Access privileges will be granted based on the principles of least privilege – meaning individuals will have the minimum access necessary to perform their job functions.

Classification level Access Control measures
Internal information Open to the public None beyond the practices described in our Technology Risk Management and Cybersecurity Policy document.
Public information Limited to authorized employees and contractors User authentication, role-based access controls (RBAC), and regular access reviews
Confidential information Limited to individuals with legitimate needs and appropriate authority. Strong user authentication, RBAC with explicit permissions, encryption (in transit and at rest), and audit trails.

2.3 Handling and transmission of information

  • Information must be transmitted securely using the organization-approved and encrypted channels.
  • No confidential information must be transmitted via unsecured communication methods, such as email, unless encrypted.
  • Mobile devices used for handling or transmission must be secured with strong authentication and encryption.
  • Physical documents containing sensitive information must be stored securely and access must be restricted.

2.4 Data retention and disposal |

All information should be retained in accordance with the organization’s data retention policy (as described in the appropriate document). Any information that is no longer required or reaches its retention period must be securely deleted using the approved methods to prevent it from getting into the wrong hands.

2.5 Training and awareness

All individuals with access to information will receive training on the proper handling and classification of information. Regular awareness campaigns will reinforce the importance of maintaining the integrity and confidentiality of information.

User Authentication

3.1 Strong authentication

In ensuring the security of user accounts and preventing unauthorized access, SCOOT CAB will enforce the use of strong authentication mechanisms. This may include the implementation of multi-factor authentication for all accounts. multi-factor authentication adds an additional layer of security by requiring users to provide multiple forms of identification before gaining access to their accounts.

3.2 Password policy

The following robust password policy will be applied for the protection of user accounts.

  • Complex password: Users must create passwords that meet minimum complexity requirements, including the combination of uppercase, lowercase, numbers, and special characters.
  • Password length: User passwords must meet the minimum length requirement to enhance security.
  • Password expiry: Users will be prompted to change their passwords on a regular basis to reduce the risk of unauthorized access.
  • Password storage: User passwords will be securely hashed and stored using industry-standard encryption methods to prevent data breaches.

Additional information may be provided on your profile, including your photo. Drivers are mandated to submit their photos when they register. This will be optional for Riders.

3.3 Account recovery

If a user forgets their login credentials, a secure and verified account recovery process will be established. This process will involve multi-step verification to confirm the user’s identity before they are allowed access to their account.

3.4 Session management

To mitigate the risk of unauthorized access due to session hijacking, SCOOT CAB will implement secure session management practices. This may include session timeouts, secure cookie attributes, and re-authentication for sensitive transactions.

3.5 Third-party authentication

For any third-party authentication service used, such as social media login plugin options, they will be carefully vetted for security and privacy considerations. If implemented, these services must meet stringent security standards and comply with all relevant privacy and data protection laws.

3.6 Employee access review

For any third-party authentication service used, such as social media login plugin options, they will be carefully vetted for security and privacy considerations. If implemented, these services must meet stringent security standards and comply with all relevant privacy and data protection laws.

3.7 Loggin and monitoring

All authentication attempts, including if successful or not, will be logged and monitored. Suspicious activities will trigger alerts for immediate investigation and response.

Data Encryption

4.1 In-transit encryption

SCOOT CAB will implement strong in-transit encryption to protect information as it travels between end users, drivers, and servers. All communication channels, including user app interactions, API communications, and data transfers will use Transport Layer Security (TLS) or a comparable encryption standard. This ensures that information remains protected from eavesdropping and man-in-the-middle attacks.

4.2 At-rest encryption

Sensitive information stored on servers and mobile devices will be subject to robust at-rest encryption measures to prevent unauthorized access in the event of physical theft or unauthorized system access. Key management, encryption systems, and storage practices will comply with industry standards to maintain confidentiality.

4.3 Encryption key management

SCOOT CAB will establish secure management practices, including:

  • Storing encryption keys in secure and tamper-evident containers.
  • Regularly rotating encryption keys to limit its exposure.
  • Limiting encryption key access to only authorized personnel
  • To manage user accounts, including for authentication and profile customization purposes.

4.4 Encryption for communication APIs

All communication interfaces and APIs used on the SCOOT CAB app will employ encryption mechanisms. This may include, without limitation, payment gateways, communication with third-party services, and external systems. Integration third parties must adhere to encryption standards to ensure a secure exchange of information.

4.5 Mobile device encryption

Mobile devices used by drivers and end users for interacting with the SCOOT CAB app will have encryption measures. This may include both device-level and application-level encryptions to safeguard information stored on the device and data shared between their device and our servers.

4.6 Periodic encryption audits

In the event of an emergency requiring access to encryption data, the documented emergency access procedures will be followed. The procedures will involve proper documentation, authorization, and oversight to mitigate risks associated with emergency access.

4.7 Emergency access procedures

In the event of an emergency requiring access to encryption data, the documented emergency access procedures will be followed. The procedures will involve proper documentation, authorization, and oversight to mitigate risks associated with emergency access.

Mobile Device Security

5.1 Device management

SCOOT CAB will implement a Mobile Device Management (MDM) system to enforce security policies, manage device configurations, and ensure compliance with security standards. The key aspects of MDM may include enrolling all devices in the MDM system before accessing the SCOOT CAB app, remotely wiping off sensitive information in the event of a stolen or lost mobile device to prevent unauthorized access, securely configuring all devices, and detecting rooted devices.

5.2 App security

Regular updates and security assessments will be performed to identify vulnerabilities. These may include regular app updates, code reviews, and penetration testing.

5.3 Device authentication and authorization

Each user will be authenticated on mobile devices following the authentication principles described in section 3 above.

5.4 Mobile app permissions

Only required permissions will be requested from mobile devices. And each permission will have its defined purposes. Users will have the right to grant or deny specific permissions.

5.5 Secure communication channels

Communications between the SCOOT CAB app and our servers, as well as third-party services, will be encrypted using industry-standard protocols. This includes information transmitted during ride requests, authentication, and payment transactions.

5.6 Security awareness for mobile users

Users will receive guidance on maintaining the security of their devices. This may include best practices for setting strong passwords, enabling device encryption, and keeping the SCOOT CAB app and device operating system up to date.

Incident Response Policy

SCOOT CAB has established an Incident Response Plan that describes the step-by-step procedures to be followed in the event of a security incident. This plan may include incident identification, reporting, response, investigation, containment, eradication, recovery, and communication. All incidents relating to the SCOOT CAB app shall follow the Incident Response Plan document. The Incident Response Plan will be regularly reviewed and updated to adapt to emerging threats, technological changes, and organizational developments.

THE SECURITY OF YOUR INFORMATION

SCOOT CAB has established a Disaster Recovery Plan (DRP) that outlines strategies and procedures for the recovery of critical business functions and IT systems in the event of a disaster or major disruption. The DRP document includes, but is not limited to, the following key components:

  • Disaster scenarios
  • Roles and responsibilities
  • Data backup and storage
  • Procedures for restoration
  • Communication plan
  • Training and awareness
  • Review and maintenance

Backup and Restoration Procedure

SCOOT CAB has developed a Backup and Restoration Procedure document that outlines our procedures for backing up and restoring data. SCOOT CAB will back up and restore data in accordance with the Backup Restoration Procedure document.

CROSS-BORDER TRANSFER OF INFORMATION

9.1 Device management

SCOOT CAB is committed to upholding the privacy and rights of its users. The collection, processing, and storage of personal information will comply with applicable privacy and data protection laws, especially the Personal Information Protection and Documents Act (PIPEDA), and where relevant, the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and any other relevant local or international privacy laws.

  • Lawful processing: Personal information will be processed only for lawful and transparent purposes, and users will be informed about the purposes of collection.
  • Data minimization: SCOOT CAB will collect only the minimum amount of information necessary for the intended purpose.
  • User consent: Users will be provided with clear and accessible mechanisms to provide informed consent for the collection and processing of their information.

9.2 Consent mechanisms

SCOOT CAB will implement a robust mechanism for obtaining user consent for information collection and processing activities. This mechanism includes:

  • Opt-in: Users will be given the choice to opt-in to data processing activities, ensuring that consent is explicit and voluntary.
  • Granular consent: Users will have the option to provide granular consent for specific information processing activities, allowing them to control the extent of information shared.
  • Revocation of consent: Users will have the ability to revoke their consent at any time through easily accessible settings.

9.3 Data access and transparency

Users will have the right to access their personal information held by SCOOT CAB and to understand how it is being processed. Transparency measures include:

  • User access requests: Procedures for users to request access to their personal information on our servers.
  • Privacy policy: A clear and concise privacy policy will be provided to users, detailing the types of information collected, purposes of processing, and other relevant information.

9.4 Data security measures:

To protect user privacy, SCOOT CAB will implement robust security measures, including:

  • Encryption: Utilizing encryption for data in transit and at rest to safeguard against unauthorized access.
  • Access controls: Implementing strict access controls to ensure that only authorized personnel have access to sensitive data.
  • Regular security assessments: Conducting regular security assessments, including penetration testing and vulnerability scanning, to identify and address potential security risks.

9.5 SData breach measures

In the event of a data breach, SCOOT CAB will follow a predefined data breach response plan. This includes:

  • notifying affected users, regulatory authorities, and other relevant parties in accordance with legal requirements.
  • implementing measures to mitigate the impact of the breach and prevent further unauthorized access.
  • conducting a thorough review of the incident to identify lessons learned and areas for improvement.

9.6 Privacy by Design

Privacy considerations will be integrated into the development and design of the SCOOT CAB app. This includes conducting Data Protection Impact Assessments (DPIAs) for new projects or significant changes to existing processes to assess and mitigate privacy risks and providing privacy training to employees involved in the development and maintenance of the app.

Third-Party Security

10.1 Vendor assessment

SCOOT CAB recognizes the critical importance of third-party security in maintaining the integrity and confidentiality of user information. All third-party vendors involved in the processing of personal information or providing services to the SCOOT CAB app will undergo a thorough security assessment.

  • Security standards: Third-party vendors must adhere to industry-accepted security standards and practices.
  • Privacy compliance: Vendors must comply with applicable privacy laws in Canada, including PIPEDA.
  • Data Protection Agreement: Where necessary, formal agreements will be established with third-party vendors, outlining their security responsibilities and commitments.

10.2 Information sharing agreements

Clear and comprehensive information data sharing agreements will be established with third-party entities that involve the exchange of personal information. These agreements will include:

  • a clear definition of the purposes for which information is shared, ensuring it aligns with user consent and legal requirements.
  • specified security measures and standards that third parties must adhere to when handling shared information.
  • established guidelines for the retention and disposal of information by third parties in accordance with legal and privacy standards.

10.3 Geographic considerations

As SCOOT CAB operates exclusively in Canada, third-party vendors must comply with PIPEDA. Data storage, processing, and transmission must be conducted within Canada or in jurisdictions that are recognized as providing an equivalent level of privacy protection. We will use data centers in Canada.

10.4 Security audits

Regular security audits of third-party vendors will be conducted to assess their adherence to security and privacy standards. These audits will include security controls review, compliance checks, and incident response preparedness.

10.5 Incident response collaboration

In the event of a security incident involving a third party, the SCOOT CAB app will collaborate with the vendor to promptly identify, contain, and remediate the incident. Communication protocols will be established to coordinate incident response efforts and fulfill any legal reporting requirements.

10.6 Continuous monitoring

Continuous monitoring of third-party security practices will be maintained to ensure ongoing compliance and to swiftly address any changes in security postures. This includes staying informed about security updates, changes in ownership, and any other factors that may impact the security of shared information.

Employee Training and Awareness

SCOOT CAB recognizes the pivotal role that employees play in maintaining the overall security posture. An ongoing security awareness program will be established to ensure that all employees, contractors, and relevant stakeholders are well-informed about information security practices and potential risks. Regular training modules will cover topics such as data protection, password security, social engineering, and the importance of compliance with this Policy. Tailored training content will be provided based on the specific roles and responsibilities of individuals within the organization.

THIRD-PARTY SERVICES

12.1 Regular audits

To ensure ongoing compliance with regulatory requirements and the effectiveness of security controls, SCOOT CAB will conduct regular audits. These audits will include security control reviews, compliance checks, and vulnerability assessments.

12.2 Regulatory compliance

Given the primary operation in Canada, SCOOT CAB is committed to adhering to all relevant Canadian regulations, including PIPEDA. This includes ensuring that information is stored and processed within Canada or in jurisdictions recognized as providing an equivalent level of privacy protection, clarifying the legal jurisdiction under which SCOOT CAB operates, and addressing any legal matters in accordance with Canadian laws.

12.3 Privacy Impact Assessments (PIA)

When implementing new projects or significant changes to existing processes that may impact privacy, SCOOT CAB will conduct Privacy Impact Assessments (PIA). PIAs will be used to identify risks, mitigate risks, and maintain records of PIAs for reference and regulatory compliance.

12.4 External audits and certifications

SCOOT CAB may undergo external audits and seek relevant certifications to demonstrate its commitment to information security and privacy. This may include pursuing ISO/IEC 27001 certification for information security management systems and seeking certification or recognition from privacy and data protection authorities in Canada.

12.5 Documentation and record keeping

All audit findings, compliance assessments, and relevant documentation will be maintained for record-keeping purposes. This includes records of security controls, audit reports, and evidence of compliance with regulatory requirements.

12.6 Regulatory updates

SCOOT CAB will stay abreast of changes in Canadian regulations, ensuring that this Policy remains aligned with evolving legal requirements. Regular reviews will be conducted to assess the impact of regulatory updates on security practices.

Policy Reviews and Updates

This Policy will undergo regular reviews to ensure its continued relevance and effectiveness. The frequency of these reviews will be annual basis or based on triggered reviews. Once updates to this Policy are approved, notifications and training will be provided to employees, contractors, and stakeholders.

Enforcement

14.1 Consequences

The enforcement of this Policy is vital to maintaining a secure environment for the SCOOT CAB app. Violations of this Policy may result in disciplinary actions commensurate with the severity of the violation and the potential impact on information security. Disciplinary actions may include verbal or written warnings for minor violations, suspension in cases of repeated or more serious violations, and termination of employment for severe violations.

14.2 Monitoring

To enforce this Policy, SCOOT CAB will implement monitoring mechanisms to detect and prevent policy violations. This includes network monitoring, user activity logs, and incident response.

14.3 Reporting violations

Employees, contractors, and stakeholders are encouraged to report any suspected violations of this Policy promptly. Reporting channels will be clearly communicated, and individuals who report violations in good faith will be protected from retaliation.

14.4 Investigation procedures

Upon receiving reports of violations, SCOOT CAB will conduct thorough investigations to determine the validity of the reports. Investigations may involve forensic analysis, interviews, and documentation review.

14.5 Legal actions

In cases where violations result in legal consequences, SCOOT CAB reserves the right to pursue legal actions against individuals or entities responsible for the violations. Legal actions may include civil litigation or reporting criminal activities to law enforcement authorities.

14.6 Policy accessibility

This Policy will be readily accessible to all individuals covered by it. Regular communication and training sessions will reinforce this Policy's importance and ensure that all personnel are aware of its content and implications.