Published on September 19, 2023
Here at Zoomo, we recognise the importance of information security and consider it a top priority.
Whether it’s our information, or the information of our business partners or customers, we adhere to information security best practices in order to protect and fortify the information in our possession.
We aim to inspire trust in our partners and customers by being transparent regarding our security practices.
To find out more about our security practices, see the information page below.
Zoomo is committed to complying with relevant international laws and regulations relating to information security.
Zoomo works to ensure that we have appropriate controls in place to secure the information in our possession. This includes protecting any customer assets that have been entrusted with Zoomo, including any confidential customer data.
The appropriateness of the controls will vary depending on the sensitivity of the information we are handling and its value to our business and our customers.
Understand the security risks to our information assets and business operations and take precautions to mitigate these risks.
Access to Zoomo’s information assets and resources is only given to those parties who strictly require access. We limit access on a need-to-know basis.
Zoomo aims to be on the front foot when it comes to responding to and managing security incidents. We do this by ensuring that we have the capability to detect security risks and respond quickly and efficiently if and when such incidents occur.
Our ultimate goal is to prevent any disruption to business activities and reduce the risk of harm to Zoomo’s customers and personnel.
Here at Zoomo, we constantly work to validate our current security measures to ensure they are functioning effectively and as expected. From our validation efforts, we report on the results to relevant internal and external stakeholders in order to maintain transparency.
When engaging third parties, we vet these parties to ensure they can be trusted to protect Zoomo information assets under their care to reduce the risk of compromise of sensitive information.
Set out below are some of the measures that Zoomo takes to ensure the security of our information. These measures are implemented through various internal policies, standards, guidelines and procedures.
Some of the measures are based upon ISO 27001 Information Security Management System Standard and the Cybersecurity Framework published by the U.S. National Institute of Standards and Technology.
Our employees and contractors are trained in information security as a part of the onboarding process, as well as receiving appropriate annual updates. Our employees are also equipped with information security policies and procedures at all times to assist them in taking correct security measures.
Zoomo’s information security awareness training and materials are constantly evolving due to the threat environment and being updated with learnings from incidents, security bulletins and phishing campaign results. We use a mixture of delivery methods, including web-based and self-paced delivery, to arm our employees and contractors with the necessary resources.
It is Zoomo standard practice to carry out identity checks on our employees and contractors prior to an individual being provided access to Zoomo systems and data.
Any third-parties which are given access to Zoomo systems or data must also either submit to the Zoomo identity check process or provide evidence that identity checks have been carried out for that individual and produced no adverse findings.
We also require our employees and contractors to consent to obligations in respect of information security during the onboarding process. This obligation is ongoing, and employees and contractors are required to comply with information security policies and procedures as they evolve.
Upon termination of their relationship with us, all employees and contractors are made aware that their information security responsibilities and duties remain applicable during and after change of employment.
Zoomo has published internal guidelines and policies for the acceptable use of our employees’ and contractors’ digital devices.
The systems and platforms enabled on these devices are securely configured as per industry good practices. We also ensure adequate security controls to address risks within these devices.
We keep an accurate record of our employees’ and contractors’ devices to keep across the coverage of our security controls (e.g. anti-malware and patching). We also require a formal Standard Operating Environment configuration process to ensure all devices meet a minimum state of security (e.g. security updates, OS updates, endpoint security installation).
Our IT Acceptable Use and Bring Your Own Device policies mandate the use of the best security practices for all employees' and contractors' endpoint devices.
To access Zoomo’s systems and information, we have implemented authentication processes, with particular types of authorisation and information types mandating the use of multi-factor authentication.
To begin with, during the onboarding processes we require our users to be properly verified prior to access being granted. Unique user identifiers must be used, with the sharing of these credentials being prohibited.
We also require our users to accept our internal policies applicable to information technology and security before being granted access. Once this is complete, both administrative and user access privileges will only be granted when the user is proven to have an established business requirement and relevant approval.
We require all access to systems and applications to be appropriately authorised. Such authorisation can be revoked, where:
Zoomo requires cryptographic controls to be adhered to at all times. We have a set of approved cryptographic algorithms and protocols which are permitted to be used.
Information in transit and at rest shall follow the following cryptography and algorithm strengths:
We restrict access keys to our systems to only those personnel who have obtained necessary authorisation from IT. This access is monitored and reviewed on a quarterly basis. Access to high value/critical keys is strictly limited to the same extent as the security level that those keys provide.
In terms of our physical sites, we enforce limited access for restricted areas to personnel that have an established access requirement to meet business obligations or carry out their duties. Restrictions apply to the hours of access and security and surveillance measures are in place to protect the premises.
We ensure that IT equipment is stored appropriately on site and locked when not in use. Hard copy documents are secured on site, and any sensitive documents are disposed of using appropriate methods.
We require our employees and contractors to appropriately classify the items they create and receive. Any such classifications are based upon internal standards, and classified information is reviewed annually to ensure the applied classification is equal to the data it contains.
Depending on the classification, information is handled differently in accordance with internal handling processes.
We have internal processes in place to ensure our data is deleted, and assets are disposed of, securely.
We utilise different deletion methods depending on the technology. For example, we may use specific solid state drive wiping tools or erase according to the manufacturer’s instructions for storage media.
When disposing of equipment, we ensure to erase all information and restore the devices back to factory settings. We then remove any asset labelling or company specific markings and dispose in accordance with internal recycling/disposal policies.
We also mandate that any data held by a third party must be deleted within 21 days.
Zoomo enforces strict internal compliance with the installation and enabling of approved anti-malware software on all Zoomo systems and end point devices.
We also employ content filtering mechanisms to detect malicious content from external sources, and implement application whitelist across the organisation.
We implement general full and incremental daily backups in order to secure the information in our possession.
We check these processes regularly and document these checks in backup and archiving logs. The length of time these logs are stored depends on immediate business, legal and regulatory requirements. Access to these backups is restricted and only shared on a need to know basis.
Zoomo maintains an asset inventory to provide oversight of all systems and applications within the Zoomo environment.
We also have established methods for analysing patches prior to deployment. We review patches on a case by case basis to identify any potential vulnerabilities and proceed accordingly.
Our security monitoring program includes active scanning of our assets, system logs and responding to security threats.
We have general network security requirements that we adhere to in order to keep our information safe. This includes internal requirements for configuration, documentation, authentication and encryption.
At a minimum, we require that all Zoomo devices undergo formal configuration processes to ensure that they meet a minimum state of security. From there, all network infrastructure is built and documented using an industry accepted security baseline. We also regularly test the security of our devices.
Zoomo implements a variety of controls to ensure the ongoing security of software environments.
When developing software, security is a top priority and is considered throughout the development lifecycle. Secure coding practices are followed and access to source code is restricted and reviewed on a monthly basis. All Zoomo software is security tested prior to release.
All of Zoomo’s hardware infrastructure is built and documented based upon industry and vendor-specific best practice guidelines.
To ensure the ongoing security of our hardware, we apply baseline configuration requirements to benchmarks, workstations, mobile devices and servers, as well as to our firewalls and routers.
When we engage with third party suppliers, we execute legally binding agreements which set out the obligations of each party in respect of Zoomo’s minimum security requirements. We continue to monitor and manage our suppliers throughout the lifecycle of their relationship with Zoomo to minimise security risks.
Depending on who you are and your interaction with Zoomo, we may collect different types of data, including:
For further information on the types of data we collect, visit our Privacy Policy.
Depending on our relationship with you, we may collect your data for different purposes.
Often, the main purpose of our data collection is to protect our legitimate interests, including to provide the best possible service to you.
For further information on the specific purposes for Zoomo’s data collection, visit our Privacy Policy.
Depending on where you are located, we may store your data in your local jurisdiction.
Due to the international nature of our business, we may also store your data within other jurisdictions we operate in, including Australia, the United Kingdom, the European Union, Canada and the United States.
Your data may be accessed by employees of different entities within the Zoomo group that may be based outside of your country of residence. As we are an international organisation, this is necessary in order for us to provide our services to you.
We may also share your data with external third parties in certain circumstances. This may include sharing your data with our business partners, advisors or software providers in order to support our service offering, or to governmental and law enforcement agencies for legitimate legal purposes.
You can find out more about these third parties and the reason for us sharing your data by visiting our Privacy Policy.
We will only store your data for as long as reasonably necessary to fulfil the purpose we collect it for. If we need the data to adequately respond to a complaint or legal action, we may retain your data for a longer period.
Our Privacy Policy outlines the factors we consider in determining what constitutes a reasonable amount of time to store your data.
Zoomo also aims to comply with international data protection laws including, amongst others, the EU General Data Protection Regulation, when collecting, storing and processing your data.
You can read more about our efforts in our Privacy Policy.
You have several rights in relation to your personal data, including but not limited to:
To find out more about your rights, visit our Privacy Policy.
Any requests in relation to your data and your rights can be made via email to [email protected].
Zoomo is committed to ensuring the integrity and security of your data. Zoomo’s collection, storage and transfer of your data is at all times governed by the principles set out in our Terms and Privacy Policy.
In summary, we have put in place appropriate security measures to prevent your data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your data on a need-to-know basis and we ensure that all who are provided with access are at all times subject to a duty of confidentiality.
We have a dedicated team who are responsible for overseeing the management and security of your personal data, as well as answering any questions that you have about how we manage privacy.
If you would like to get in touch, please contact us via email at [email protected].
You can find the current version of the Zoomo Privacy Policy here: https://www.ridezoomo.com/policies/privacy.