Last Updated: November 18th, 2024
1. Built Secure. Built for Enterprise.
At RideCo, we prioritize security from the inside out by implementing stringent controls and procedures that safeguard the confidentiality, integrity, and availability of our infrastructure and customer data. We adhere to the highest security standards, aligning with NIST 800-53, and maintain robust policies to ensure that our people, processes, and technologies consistently meet compliance requirements.
2. SOC 2 Type II Certified
RideCo is SOC 2 Type II certified, which means an independent CPA-certified auditor has verified that we have established and consistently maintained the necessary controls to mitigate risks related to the security, availability, and confidentiality of our organization and customers' data. For an overview of our security measures, you can request a copy of our SOC 2 report by emailing us at security@rideco.com.
3. A Secure Organization
At RideCo, security is a shared responsibility across the organization. As part of our onboarding process, and annually thereafter, all employees are required to complete mandatory training on privacy, data protection, and security. We continuously monitor employee devices to ensure compliance with RideCo's security protocols, and every employee contract includes strict confidentiality clauses to safeguard sensitive information.
4. System Access and Authorization Controls
Access is strictly governed by the principle of least privilege, ensuring that employees are only granted the minimum level of access necessary to perform their tasks. Each client’s data is protected by a unique set of rotating credentials, which are granted exclusively to employees and systems involved in support and maintenance activities.
5. Secure Development Practices
RideCo's development team is trained in secure coding practices and the OWASP Top 10 most common vulnerabilities. All code changes are subjected to automated analysis and rigorous code reviews, ensuring that security flaws are identified and addressed before reaching production.
6. Security & Privacy Policies
RideCo has established a comprehensive set of corporate policies designed to maximize security for both our clients and our organization. These policies are regularly reviewed, at least annually, as part of our business continuity planning. Currently, RideCo has implemented the following security and privacy policies:
● Acceptable Use Policy
● Asset Management Policy
● Backup Policy
● Business Continuity Plan
● Change Management Policy
● Code of Conduct
● Cryptography Policy
● Data Classification Policy
● Data Deletion Policy
● Data Protection Policy
● Disaster Recovery Plan
● GDPR and GAPP policy
● Incident Response Plan
● Information Security Policy
● Password Policy
● Physical Security Policy
● Responsible Disclosure Policy
● Risk Assessment Program
● System Access Control Policy
● Vendor Management Policy
● Vulnerability Management Policy
These policies ensure that we are well-equipped to protect sensitive data, mitigate risks, and respond effectively to security incidents.
7. Protecting Your Data
RideCo’s software operates on a secure, enterprise-grade stack of operating systems, application servers, and database servers. The RideCo Cloud platform consists of multiple server pairs, providing a robust and scalable infrastructure. Each customer is provided with exclusive access to their own content management environment and dedicated database instance. We employ a layered approach to security, combining web, database, and application security practices that safeguard customers from external threats and ensure isolation between client environments.
8. Data Ownership
All data provided to RideCo remains the property of the original Data Owner. RideCo’s products and services, methodologies, configurations, updates, intellectual property, architecture, algorithms, code, code snippets, code development, and all other information not publicly available pertaining to, of, or from RideCo remains under the sole ownership of RideCo.
9. Application Data Access
Applications are developed using RideCo’s secure and tested application delivery framework, which enforces an authenticated secure session that allows for access restrictions at the field level on content objects. RideCo is functionally divided into three application instances: the Passenger, the Driver, and the Operations Center instance. People who wish to become a passenger and book their travel itinerary with RideCo have to register a Passenger user account. They make book rides (pickup, dropoff), and update their own personal information. Agency staff, partners, or contractors are assigned to the Driver application to service the requested rides - they are able to pick up and drop off passengers, as well as provide operational updates to Operations Center staff. Agency staff are onboarded into the Operations Center role as the administrative level provided to RideCo customers. These staff are permitted to update itineraries, make adjustments pertaining to vehicles and driver rosters, and address non-standard operational issues such as vehicle breakdown. Operations Center users enjoy a higher level of security through the enablement of SSO which allows Agencies to determine their own authentication best practices including but not limited to concepts such as strong, complex passwords, MFA, and conditional access. At all levels, these applications are secured according to RideCo’s security and Privacy standards based on NIST 800-53, GDPR, HIPAA, and audited annually to verify correct operation through a SOC2 Type II audit.
10. Data Encryption
All data exchanged between the RideCo Cloud tiers is encrypted both in transit and at rest using robust, industry-recognized algorithms. Data in transit is secured with TLS, while data at rest is protected using AES-256 encryption. RideCo employs Amazon’s server-side encryption, which utilizes AWS-owned or AWS-managed keys stored in AWS Key Management Service (KMS) or S3. AWS services can also be configured to use customer-managed encryption keys via KMS or customer-supplied encryption keys.
Amazon server-side encryption employs one of the strongest block ciphers available, AES-256, to safeguard RideCo’s data. For data in transit, the minimum acceptable standard is TLS v1.2. All RideCo public web properties, relevant infrastructure components, and applications utilizing SSL/TLS, IPsec, and SSH for encryption over open networks must possess certificates signed by a trusted provider.
Encryption keys generated, stored, and managed by RideCo are created and maintained securely to prevent loss, theft, or compromise, using a cryptographically secure random number generator (CSRNG) for key generation.
11. Backup and Support
RideCo has nightly backups in the event of an extreme disaster with widespread impact. RideCo has a 99.99%+ platform uptime standard, and our technical team offers 24/7 support for critical platform issues. Our system is configured to immediately notify our engineers of any issues such as downtime, and issues are often resolved before the end-user is affected or even aware of them. Additionally, our solution’s Recovery Time Objective (RTO) is typically 2 hours or less, but can be redefined during the contract. Recovery Point Objective (RPO) is 0-2 hours because of multiple availability zones and other replication databases. The RideCo infrastructure team, responsible for managing the RideCo Cloud platform, regularly tests the backup and restore procedures to ensure their effectiveness.
12. Business Continuity and Disaster Recovery
In addition to its robust backup and security protocols, RideCo has developed a comprehensive business continuity and disaster recovery plan. This plan outlines strategies to ensure the continuity of critical business operations in the event of unexpected disruptions, such as natural disasters, system failures, or cyber incidents.
The Business Continuity Plan includes detailed procedures for maintaining operations, communicating with stakeholders, and restoring services promptly. It also encompasses regular testing and updates to ensure its effectiveness and alignment with best practices.
For more information on our business continuity and disaster recovery strategies, please refer to the Business Continuity Plan document, which can be provided upon request.
13. Network Security
RideCo safeguards its cloud platform from inappropriate or malicious internet traffic through a multi-layered network defense strategy. This includes firewalls, network intrusion detection systems, and continuous 24/7/365 network surveillance, all supported by a robust incident response program.
The RideCo Cloud is fortified against network intrusions and attacks by a redundant pair of perimeter firewalls. Bi-directional rules meticulously control the flow of traffic to and from the RideCo Cloud platform, allowing only the packets explicitly necessary for delivering RideCo Cloud services. Only secure sessions that pass inspection by the perimeter firewall are permitted to access the RideCo Cloud platform.
14. Monitoring
RideCo employs both internal vulnerability monitoring and external vulnerability scanning to proactively identify emerging threats and validate the effectiveness of its security controls, ensuring a robust security posture. The company conducts continuous internal scanning and package monitoring, complemented by external assessments, to maintain comprehensive visibility across its environment.
Security-related events are routinely logged and monitored by RideCo’s firewalls and servers. Additionally, a monitoring daemon on each server tracks operational events, including host resource usage and environmental conditions. All alerts are forwarded to RideCo’s Network Operations Center (NOC), where priority 1 alerts are immediately escalated by paging NOC staff.
At the RideCo NOC, trained network and system administrators monitor incoming alerts 24/7/365, verifying each alert before initiating the appropriate response. This proactive approach ensures that potential issues are addressed swiftly and effectively.
15. Vulnerability Testing
The RideCo Cloud platform undergoes regular vulnerability assessments and penetration tests to ensure its security integrity. Additionally, RideCo’s clients periodically conduct their own load and penetration tests. Some clients, particularly those in government and cybersecurity, take extra measures by reviewing every line of code annually.
All identified security vulnerabilities are promptly addressed within the core software as needed. Clients, especially those with city contracts, often engage third-party firms to perform penetration tests on the RideCo Cloud platform. Any non-compliance issues found in either the core software or the cloud platform are prioritized for immediate resolution.
16. Responsible Disclosure
At RideCo, we recognize the crucial role independent security researchers play in enhancing the security of our products. We encourage the responsible reporting of any vulnerabilities discovered in our software. In our collaboration with security researchers, we advocate for responsible disclosure and ask that you allow us the opportunity to respond to and resolve security issues before any details are made public. For comprehensive information, please refer to our Responsible Disclosure page by contacting us at security@rideco.com.
17. Vulnerability Remediation / Patch Management
To mitigate vulnerabilities before they can be exploited, RideCo employs a proactive patch management strategy alongside periodic internal penetration tests. We continuously monitor security bulletins for new threats that may affect the RideCo Cloud. When new security patches become available, they are first evaluated for their relevance to the RideCo Cloud Platform. Relevant patches are then tested on QA and staging servers for a minimum of two days before being applied to production servers. Additionally, routine vulnerability scans are conducted semi-annually to further enhance our security posture.
18. Security Incident Management
RideCo has a dedicated and systematic process for addressing security issues, which are prioritized over other types of concerns. During incident investigations, if the Network Operations Center (NOC) staff determines that an attack is either underway or has occurred, they will take immediate actions to quarantine IP addresses and disconnect sessions as necessary to contain the incident and prevent further damage.
If needed to mitigate the attack or safeguard customer data, we may temporarily disable customer accounts or databases. The RideCo Service Manager assigned to each affected customer account will reach out to discuss the incident, the actions taken, and the impact on that customer’s operations.
19. Notification
RideCo assesses the severity of issues using the industry-standard Common Vulnerability Scoring System (CVSS), which is employed by all modern scanning and continuous monitoring systems. The CVSS enables the capture of a vulnerability’s characteristics and generates a numerical score that reflects its severity. This numerical score is then translated into qualitative categories (such as low, medium, high, and critical), helping organizations effectively evaluate and prioritize their vulnerability management efforts.
20. Security Contact
If you have questions or need additional information, contact security@rideco.com.
