Security Policy

Introduction

This HaulBuddy Information Security Policy is a part of the Limited Use License Agreement and is incorporated by reference therein. It sets out additional commitments of Scheduling Genie Software.

Capitalized terms not otherwise defined here retain the same meaning set forth in the Limited Use License Agreement.

Data Confidentiality. Haul Buddy LLC. (“HaulBuddy”) shall maintain administrative, physical and technical controls designed to protect the security, confidentiality and integrity of Client’s (“Client”) Customer Data.
Access. HaulBuddy will not knowingly authorize its personnel to have access to any records or data of Client if the person has been convicted of a crime involving fraud or dishonesty. HaulBuddy shall, to the extent permitted by law, conduct a check of public records in all of the employee’s states/ country of residence and employment to verify the above.
Compliance • HaulBuddy agrees to provide evidence upon reasonable request of compliance of any system or component used to process, store, or transmit Customer Data that is operated by HaulBuddy as part of its service. Similarly, HaulBuddy will be prepared to provide available evidence of compliance of any third party it has sub-contracted as part of the service offering. HaulBuddy shall take reasonable steps to periodically review and maintain its policies, standards, and procedures. An internal committee with representation from various parts of the organization will oversee our information technology security policies, standards, and procedures.
Network Security • HaulBuddy agrees to maintain commercially reasonable network security that, at a minimum, includes: ▪ Firewalls to protect the perimeter network; ▪ Intrusion detection/prevention tools; ▪ Periodic third party penetration testing; ▪ Network security that at minimum conforms to an industry recognized standard Anti-spoofing filters enabled on routers; ▪ Network, application and server authentication passwords meet minimum complexity guidelines and regularly changed, adhering to acceptable industry standards. ▪ Initial user passwords changed during first logon, and policy prohibiting the sharing of user IDs and passwords. • Virtual Private Networks (“VPN”). When remote connectivity to the data exporter network is required for processing of Customer Data, HaulBuddy uses VPN servers for the remote access.
Data Security • HaulBuddy agrees to conform to the following measures:
1. Data Transmission. HaulBuddy agrees that any transmission or exchange of system application data with Client will occur through secure protocols, e.g. HTTPS, FTPS, SFTP, or equivalent means.
2. Data Storage and Backup. Customer Data in production is not encrypted at rest. With respect to back up, HaulBuddy agrees to maintain (for the applicable contractual period) Client’s Customer Data for backup and recovery processes in encrypted form, using no less than 128-bit key.
3. Testing Data. HaulBuddy shall implement data protection and obfuscation during application testing or other processes outside of the production environment to sufficiently prevent identification of the actual individual or corporate customer to whom the original data refers, or preparing and executing a data protection plan.
4. System Acquisition, Development and Maintenance
  1. Security Requirements. HaulBuddy has adopted security requirements for the purchase or development of information systems, including for application services delivered through public networks.
  2. Development Requirements. HaulBuddy has policies for secure development, system engineering and support. HaulBuddy conducts appropriate tests for system security as part of regression testing processes.
  3. Supplier Relationships and Policies. HaulBuddy has information security policies or procedures for its use of suppliers
  4. Management. HaulBuddy performs periodic reviews of key suppliers and manages service delivery commitments through contracts with its suppliers.
  5. Data Breach • HaulBuddy agrees to comply with all applicable laws that require the notification of individuals in the event of unauthorized release of personally identifiable information or other event requiring notification.
  6. Safekeeping and Security • HaulBuddy will be responsible for safekeeping all keys, access codes and similar security codes and identifiers issued to HaulBuddy’s employees, agents, contractors, or subcontractors. HaulBuddy shall ensure that access codes and passwords conform to an industry recognized standard
  7. Access Policy. An access control policy is established, documented, and reviewed based on business and information security requirements.
  8. Access Recordkeeping. HaulBuddy maintains a record of security privileges of its personnel that have access to personal data, networks and network services.
  9. Access Authorization. HaulBuddy has user account creation and deletion procedures, with appropriate approvals, for granting and revoking access to HaulBuddy's and/or its clients’ systems and networks at regular intervals based on the principle of “least privilege” and need-to-know criteria based on job role. HaulBuddy maintains and updates a record of personnel authorized to access systems that contain personal data. HaulBuddy maintains strict policies against any shared “generic” user identification access. HaulBuddy maintains a password policy requiring accounts to be locked out after a defined maximum number of login attempts in accordance with the current password policy
  10. Integrity and Confidentiality. HaulBuddy instructs its personnel to automatically lock screens and/or disable administrative sessions when leaving premises that are controlled by HaulBuddy or when computers are otherwise left unattended. In addition, HaulBuddy computers and trusted devices automatically lock after a defined period of inactivity. HaulBuddy stores passwords in a secured and restricted way that makes them unintelligible while they are in force
    1. Authentication. HaulBuddy uses industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication mechanisms are based on passwords, HaulBuddy requires that the passwords be renewed regularly, based on acceptable industry standards. Where authentication mechanisms are based on passwords, HaulBuddy requires the password to conform to very strong password control parameters including length, character complexity, and non-repeatability. HaulBuddy monitors repeated attempts to gain access to the information system using an invalid password. HaulBuddy maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
    2. Operations Security. HaulBuddy will maintain policies describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data.
    3. Physical Access to Facilities HaulBuddy limits access to facilities where systems that process personal data are located to authorized individuals. b. Access is controlled through key card and/or appropriate sign-in procedures for facilities with systems processing personal data. Personnel must be registered and are required to carry appropriate identification badges. c. A security alarm system or other appropriate security measures shall be in place to provide alerts of security intrusions after normal working hours.
    4. Monitoring and Auditing • HaulBuddy will regularly monitor and audit the effectiveness of its information security practices. Servers shall be scanned regularly to ensure they meet the current security standards.
    5. Disaster Recovery • To minimize potential losses and to permit resumption of processing, HaulBuddy shall maintain contingency plans consistent with the impact of any system failures on the business. These plans include a suitable backup and disaster recovery plan that is maintained, properly documented, periodically tested and appropriate for the system covered.