Security

Published on September 19, 2023

Here at Zoomo, we recognise the importance of information security and consider it a top priority.

Whether it’s our information, or the information of our business partners or customers, we adhere to information security best practices in order to protect and fortify the information in our possession.

We aim to inspire trust in our partners and customers by being transparent regarding our security practices.

To find out more about our security practices, see the information page below.

Principles

1. Comply with legal and regulatory requirements

Zoomo is committed to complying with relevant international laws and regulations relating to information security.

2. Protect our assets

Zoomo works to ensure that we have appropriate controls in place to secure the information in our possession. This includes protecting any customer assets that have been entrusted with Zoomo, including any confidential customer data.

The appropriateness of the controls will vary depending on the sensitivity of the information we are handling and its value to our business and our customers.


3. Manage security risks

Understand the security risks to our information assets and business operations and take precautions to mitigate these risks.

4. Ensure appropriate access to information and resources

Access to Zoomo’s information assets and resources is only given to those parties who strictly require access. We limit access on a need-to-know basis.

5. Manage information security incidents

Zoomo aims to be on the front foot when it comes to responding to and managing security incidents. We do this by ensuring that we have the capability to detect security risks and respond quickly and efficiently if and when such incidents occur.

Our ultimate goal is to prevent any disruption to business activities and reduce the risk of harm to Zoomo’s customers and personnel.

6. Provide assurance to our stakeholders

Here at Zoomo, we constantly work to validate our current security measures to ensure they are functioning effectively and as expected. From our validation efforts, we report on the results to relevant internal and external stakeholders in order to maintain transparency.

7. Manage third-party risks

When engaging third parties, we vet these parties to ensure they can be trusted to protect Zoomo information assets under their care to reduce the risk of compromise of sensitive information.

Measures

Set out below are some of the measures that Zoomo takes to ensure the security of our information. These measures are implemented through various internal policies, standards, guidelines and procedures.

Some of the measures are based upon ISO 27001 Information Security Management System Standard and the Cybersecurity Framework published by the U.S. National Institute of Standards and Technology.

Security Awareness

Our employees and contractors are trained in information security as a part of the onboarding process, as well as receiving appropriate annual updates. Our employees are also equipped with information security policies and procedures at all times to assist them in taking correct security measures.

Zoomo’s information security awareness training and materials are constantly evolving due to the threat environment and being updated with learnings from incidents, security bulletins and phishing campaign results. We use a mixture of delivery methods, including web-based and self-paced delivery, to arm our employees and contractors with the necessary resources.

Human Resources Security

It is Zoomo standard practice to carry out identity checks on our employees and contractors prior to an individual being provided access to Zoomo systems and data.

Any third-parties which are given access to Zoomo systems or data must also either submit to the Zoomo identity check process or provide evidence that identity checks have been carried out for that individual and produced no adverse findings.

We also require our employees and contractors to consent to obligations in respect of information security during the onboarding process. This obligation is ongoing, and employees and contractors are required to comply with information security policies and procedures as they evolve.

Upon termination of their relationship with us, all employees and contractors are made aware that their information security responsibilities and duties remain applicable during and after change of employment.

Asset Management  

Zoomo has published internal guidelines and policies for the acceptable use of our employees’ and contractors’ digital devices.

The systems and platforms enabled on these devices are securely configured as per industry good practices. We also ensure adequate security controls to address risks within these devices.

We keep an accurate record of our employees’ and contractors’ devices to keep across the coverage of our security controls (e.g. anti-malware and patching). We also require a formal Standard Operating Environment configuration process to ensure all devices meet a minimum state of security (e.g. security updates, OS updates, endpoint security installation).

Our IT Acceptable Use and Bring Your Own Device policies mandate the use of the best security practices for all employees' and contractors' endpoint devices.

Identity and Access Management  

To access Zoomo’s systems and information, we have implemented authentication processes, with particular types of authorisation and information types mandating the use of multi-factor authentication.

To begin with, during the onboarding processes we require our users to be properly verified prior to access being granted. Unique user identifiers must be used, with the sharing of these credentials being prohibited.

We also require our users to accept our internal policies applicable to information technology and security before being granted access. Once this is complete, both administrative and user access privileges will only be granted when the user is proven to have an established business requirement and relevant approval.

We require all access to systems and applications to be appropriately authorised. Such authorisation can be revoked, where:

  • there have been consecutive unsuccessful login attempts;
  • users are offboarded; or
  • an access review is undertaken and Zoomo determines that the user no longer requires access.  

Encryption and Key Management

Zoomo requires cryptographic controls to be adhered to at all times. We have a set of approved cryptographic algorithms and protocols which are permitted to be used.

Information in transit and at rest shall follow the following cryptography and algorithm strengths:

  • Advanced Encryption Standard (AES) 192 or 256 bits Encryption
  • SSL/TLS for Encryption in transit
  • Secure Hash Algorithm (SHA) SHA-256 and SHA-512 Hashing/Digital Signing
  • RSA HS256/RS256 Key Distribution and Digital Signatures
  • Triple Data Encryption Algorithm (3DES) Encryption

We restrict access keys to our systems to only those personnel who have obtained necessary authorisation from IT. This access is monitored and reviewed on a quarterly basis. Access to high value/critical keys is strictly limited to the same extent as the security level that those keys provide.

Physical Security

In terms of our physical sites, we enforce limited access for restricted areas to personnel that have an established access requirement to meet business obligations or carry out their duties. Restrictions apply to the hours of access and security and surveillance measures are in place to protect the premises.

We ensure that IT equipment is stored appropriately on site and locked when not in use. Hard copy documents are secured on site, and any sensitive documents are disposed of using appropriate methods.

Information Classification and Handling

We require our employees and contractors to appropriately classify the items they create and receive. Any such classifications are based upon internal standards, and classified information is reviewed annually to ensure the applied classification is equal to the data it contains.

Depending on the classification, information is handled differently in accordance with internal handling processes.

Secure Deletion and Disposal

We have internal processes in place to ensure our data is deleted, and assets are disposed of, securely.

We utilise different deletion methods depending on the technology. For example, we may use specific solid state drive wiping tools or erase according to the manufacturer’s instructions for storage media.

When disposing of equipment, we ensure to erase all information and restore the devices back to factory settings. We then remove any asset labelling or company specific markings and dispose in accordance with internal recycling/disposal policies.

We also mandate that any data held by a third party must be deleted within 21 days.

Malicious Code

Zoomo enforces strict internal compliance with the installation and enabling of approved anti-malware software on all Zoomo systems and end point devices.

We also employ content filtering mechanisms to detect malicious content from external sources, and implement application whitelist across the organisation.

Backup and Archiving

We implement general full and incremental daily backups in order to secure the information in our possession.

We check these processes regularly and document these checks in backup and archiving logs. The length of time these logs are stored depends on immediate business, legal and regulatory requirements. Access to these backups is restricted and only shared on a need to know basis.

Vulnerability and Patch Management

Zoomo maintains an asset inventory to provide oversight of all systems and applications within the Zoomo environment.

We also have established methods for analysing patches prior to deployment. We review patches on a case by case basis to identify any potential vulnerabilities and proceed accordingly.

Logging and Monitoring

Our security monitoring program includes active scanning of our assets, system logs and responding to security threats.

Network Security

We have general network security requirements that we adhere to in order to keep our information safe. This includes internal requirements for configuration, documentation, authentication and encryption.

At a minimum, we require that all Zoomo devices undergo formal configuration processes to ensure that they meet a minimum state of security. From there, all network infrastructure is built and documented using an industry accepted security baseline. We also regularly test the security of our devices.

Secure Software Development

Zoomo implements a variety of controls to ensure the ongoing security of software environments.

When developing software, security is a top priority and is considered throughout the development lifecycle. Secure coding practices are followed and access to source code is restricted and reviewed on a monthly basis. All Zoomo software is security tested prior to release.

Baseline Hardware Configuration Standard

All of Zoomo’s hardware infrastructure is built and documented based upon industry and vendor-specific best practice guidelines.

To ensure the ongoing security of our hardware, we apply baseline configuration requirements to benchmarks, workstations, mobile devices and servers, as well as to our firewalls and routers.

Third Party Risk Management

When we engage with third party suppliers, we execute legally binding agreements which set out the obligations of each party in respect of Zoomo’s minimum security requirements. We continue to monitor and manage our suppliers throughout the lifecycle of their relationship with Zoomo to minimise security risks.

What types of data does Zoomo collect?

Slide right

Depending on who you are and your interaction with Zoomo, we may collect different types of data, including:

  • identity data such as your name, identification document details, age and date of birth;
  • contact information such as your email address and phone number;
  • technical data such as your IP address, login data, browser type and version, time zone setting and location. If you are a member with us, it also includes data on your rides, such as the locations that you have travelled to and from with our bike, any visual data captured on your rides, velocity of travel, mileage, accidents, vehicle repair data, etc.;
  • and transaction data relating to your use of our products and services.

For further information on the types of data we collect, visit our Privacy Policy.

Why does Zoomo collect my data?

Slide right

Depending on our relationship with you, we may collect your data for different purposes.

Often, the main purpose of our data collection is to protect our legitimate interests, including to provide the best possible service to you.

For further information on the specific purposes for Zoomo’s data collection, visit our Privacy Policy.

Where does Zoomo store my data?

Slide right

Depending on where you are located, we may store your data in your local jurisdiction.

Due to the international nature of our business, we may also store your data within other jurisdictions we operate in, including Australia, the United Kingdom, the European Union, Canada and the United States.

Does Zoomo share my data with others?

Slide right

Your data may be accessed by employees of different entities within the Zoomo group that may be based outside of your country of residence. As we are an international organisation, this is necessary in order for us to provide our services to you.

We may also share your data with external third parties in certain circumstances. This may include sharing your data with our business partners, advisors or software providers in order to support our service offering, or to governmental and law enforcement agencies for legitimate legal purposes.

You can find out more about these third parties and the reason for us sharing your data by visiting our Privacy Policy.

How long does Zoomo store my data?

Slide right

We will only store your data for as long as reasonably necessary to fulfil the purpose we collect it for. If we need the data to adequately respond to a complaint or legal action, we may retain your data for a longer period.

Our Privacy Policy outlines the factors we consider in determining what constitutes a reasonable amount of time to store your data.

Does Zoomo comply with international data protection laws?

Slide right

Zoomo also aims to comply with international data protection laws including, amongst others, the EU General Data Protection Regulation, when collecting, storing and processing your data.

You can read more about our efforts in our Privacy Policy.

What are my rights under international privacy laws and how can I exercise these rights?

Slide right

You have several rights in relation to your personal data, including but not limited to:

  • the right to access your data;
  • the right to rectify your data if it is  inaccurate or incomplete;
  • the right to erase your data under certain circumstances;
  • and the right to request that processing of your data be limited.

To find out more about your rights, visit our Privacy Policy.

Any requests in relation to your data and your rights can be made via email to privacy@ridezoomo.com.

What safeguards does Zoomo employ regarding my data?

Slide right

Zoomo is committed to ensuring the integrity and security of your data. Zoomo’s collection, storage and transfer of your data is at all times governed by the principles set out in our Terms and Privacy Policy.

In summary, we have put in place appropriate security measures to prevent your data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your data on a need-to-know basis and we ensure that all who are provided with access are at all times subject to a duty of confidentiality.

How can I contact Zoomo about my data privacy?

Slide right

We have a dedicated team who are responsible for overseeing the management and security of your personal data, as well as answering any questions that you have about how we manage privacy.

If you would like to get in touch, please contact us via email at privacy@ridezoomo.com.

Where can I find the Zoomo Privacy Policy?

Slide right

You can find the current version of the Zoomo Privacy Policy here: https://www.ridezoomo.com/policies/privacy.