BoldTrack’s mission is to provide visibility and tools to increase fleet efficiency while improving driver safety and employee wellbeing.

BoldTrack products are built from the ground up with security and privacy in mind. Given the large amounts of data our system stores and generates, we hold data security as a top priority, from securing our organization and your organization’s data at multiple layers to employing industry best practices. All aspects of BoldTrack’s service—from built-in security tools for administrators to ongoing monitoring, penetration testing, and risk mitigation—are designed by security and reliability experts with experience building secure software systems.

HIGHLIGHTS

• TLS 1.2+ protocols
• AES-256 encryption
• Extensive 3rd party audits
• Redundant Cloud Service
• SOC 2 Type II Certified

SECURITY IN DEPTH

BoldTrack’s cloud-hosted infrastructure is designed and managed in alignment with the best practices of multiple IT security standards. BoldTrack’s underlying infrastructure leverages Amazon AWS servers, which are ISO 27001 and SOC 2 Type II certified.

Network devices, including firewalls and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, web application firewalls (WAF), and configurations to enforce the flow of information to specific information system services.

WAF and traffic flow policies are established at every step of the way to enforce and control the flow of traffic.

BoldTrack is built on a secure cloud architecture. Customer data is strictly segregated with authentication checks for every application and data layer access point. The careful segregation ensures that data always requires authentication checks, and that data is provisioned for that customer.

Administrative access to BoldTrack’s infrastructure is highly restricted and verified by public key (RSA). Distributed Denial of Service (DDoS) attacks are mitigated with elastic load balancing and highly available DNS services.

When a storage device containing customer data has reached the end of its useful life, procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. All decommissioned magnetic storage devices are degaussed and physically destroyed with industry-standard best practices.

BoldTrack recognizes the importance of securing your data from the device to the dashboard. Our gateways are designed and tested to prevent unauthorized access and interference, including through the following safeguards:

Command Safe List
BoldTrack’s gateways allow only a pre-approved list of commands to be sent to the vehicle, blocking malicious or otherwise unwanted commands.

Hardware-Level Verification
BoldTrack devices won’t operate if someone remotely tries to run malicious code on them and are password protected whenever possible. Sim cards are IMEI-locked to prevent misuse.

Data Traffic Monitoring
BoldTrack monitors data around the clock for traffic anomalies. This helps detect and mitigate potential security threats, unusual behavior, or deviations from normal patterns in network and data usage.

Data that is captured, stored or processed by BoldTrack is encrypted by default when in transit over public networks or at rest in the BoldTrack cloud. Specifically:

Data in Transit
BoldTrack uses the latest recommended secure protocols to secure traffic in transit, including TLS 1.2+, AES256 encryption, and signatures.

Data at Rest
Data at rest in BoldTrack’s production network is encrypted using industry standard AES256 encryption, which applies to data at rest within BoldTrack’s systems—relational databases, file stores, backups, etc. All encryption keys are stored in an industry standard, secure system based on AWS’s Key Management Service. BoldTrack has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Viewing your connected fleet operations in the BoldTrack cloud via the dashboard, BoldTrack mobile apps, and API requires secure, TLS-encrypted connections for all application traffic.

SOC 2® Reporting
The System and Organization Controls (SOC 2) is an industry-recognized attestation report given to a company after an audit of the company’s internal practices. Our report describes the controls and processes BoldTrack has in place to secure customer data and to ensure availability of our system.

BoldTrack's SOC 2 Type 2 report includes a description of our software infrastructure and the processes we have in place to keep our customers’ data safe and available. Some of the processes covered in our report are employee on-boarding and termination processes; internal access controls to production environments; and disaster recovery, data backup, and incident response processes. BoldTrack’s SOC 2 Type II report was provided by Johanson Group, LLP, a licensed and independent certified public accountant firm.

If you’re a current or prospective BoldTrack customer and wish to view the report, you can request a copy from your account representative.

Penetration Testing
In addition to our compliance audits, BoldTrack engages independent entities to conduct application-level, infrastructure-level, and hardware-level penetration tests bi-annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner. Customers may receive executive summaries of these activities by requesting them from their account executive.

BoldTrack highly values and encourages a close relationship with security researchers. The work done by the security community improves the security of our product offerings and we encourage their participation in our responsible reporting process.

BoldTrack’s service is a distributed system designed to spread computation and data across multiple physical servers. Every customer’s data is replicated across multiple servers and storage appliances, so that hardware failure will not compromise service availability or customer data. Networks are multi-homed across a number of providers to achieve Internet access diversity.

Datacenters are equipped with advanced fire detection and suppression equipment, including protection by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

BoldTrack is designed for rapid failover in the event of a hardware failure or natural disaster. And BoldTrack sensors and gateways are equipped with on-board storage to save data locally in the event of a cloud service interruption, and will automatically upload buffered data upon service resumption.

BoldTrack provides administrative tools to protect your organization’s data, including user management with email verification, authentication audit logs, and two factor authentication. Moreover, BoldTrack enforces robust user authentication, with data access requiring authentication via BoldTrack’s centralized server (no default passwords or shared secrets).

Internally, BoldTrack authorizes access to Customer Data based on the principles of least privilege and segregation of duties. BoldTrack uses role-based access privileges to assign access to key systems. In order to access the production environment, an authorized BoldTrack user must have a unique username and password, multi-factor authentication, and be connected to BoldTrack's Virtual Private Network. Access is automatically deprovisioned for employees switching roles or leaving the company. BoldTrack uses a log monitoring system to track events for crucial systems in order to identify anomalous or unauthorized login, configuration, or security-group management events quickly.

BoldTrack is dedicated to upholding the highest standards of security for our platform and openly working with the security community. Our vulnerability disclosure policy aims to provide a way for external researchers to report and remediate security issues. BoldTrack encourages security researchers to discover and report to BoldTrack any vulnerabilities they find in a responsible manner. BoldTrack expressly prohibits security researchers from performing actions that may negatively affect BoldTrack or its customers; accessing, destroying, corrupting (or attempting to access, destroy, or corrupt) data or information that does not belong to them; or social engineering any BoldTrack customer or employee.

If you have a security concern. We ask that you not share or publicize an unresolved vulnerability with/to third parties. You can find out more on vulnerability disclosure policy.

Depending on the severity and impact of your submission, you may qualify for a reward.