One Step GPS products are built from the ground up with security and privacy in mind. Given the large amounts of data our system stores and generates, we hold data security as a top priority, from securing our organization and your organization’s data at multiple layers to employing industry best practices. All aspects of One Step GPS’s service—from built-in security tools for administrators to ongoing monitoring, penetration testing, and risk mitigation—are designed by security and reliability experts with experience building secure software systems.
HIGHLIGHTS
SECURITY IN DEPTH
Hardened Cloud InfrastructureOne Step GPS’s cloud-hosted infrastructure is designed and managed in alignment with the best practices of multiple IT security standards. One Step GPS’s underlying infrastructure leverages Amazon AWS servers, which are ISO 27001 and SOC 2 Type II certified.
Network devices, including firewalls and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, web application firewalls (WAF), and configurations to enforce the flow of information to specific information system services.
WAF and traffic flow policies are established at every step of the way to enforce and control the flow of traffic.
One Step GPS is built on a secure cloud architecture. Customer data is strictly segregated with authentication checks for every application and data layer access point. The careful segregation ensures that data always requires authentication checks, and that data is provisioned for that customer.
Administrative access to One Step GPS’s infrastructure is highly restricted and verified by public key (RSA). Distributed Denial of Service (DDoS) attacks are mitigated with elastic load balancing and highly available DNS services.
When a storage device containing customer data has reached the end of its useful life, procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. All decommissioned magnetic storage devices are degaussed and physically destroyed with industry-standard best practices.
Physical Device ProtectionsOne Step GPS recognizes the importance of securing your data from the device to the dashboard. Our gateways are designed and tested to prevent unauthorized access and interference, including through the following safeguards:
Command Safe List
One Step GPS’s gateways allow only a pre-approved list of commands to be sent to the vehicle, blocking malicious or otherwise unwanted commands.
Hardware-Level Verification
One Step GPS devices won’t operate if someone remotely tries to run malicious code on them and are password protected whenever possible. Sim cards are IMEI-locked to prevent misuse.
Data Traffic Monitoring
One Step GPS monitors data around the clock for traffic anomalies. This helps detect and mitigate potential security threats, unusual behavior, or deviations from normal patterns in network and data usage.
Data that is captured, stored or processed by One Step GPS is encrypted by default when in transit over public networks or at rest in the One Step GPS cloud. Specifically:
Data in Transit
One Step GPS uses the latest recommended secure protocols to secure traffic in transit, including TLS 1.2+, AES256 encryption, and signatures.
Data at Rest
Data at rest in One Step GPS’s production network is encrypted using industry standard AES256 encryption, which applies to data at rest within One Step GPS’s systems—relational databases, file stores, backups, etc. All encryption keys are stored in an industry standard, secure system based on AWS’s Key Management Service. One Step GPS has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.
Viewing your connected fleet operations in the One Step GPS cloud via the dashboard, One Step GPS mobile apps, and API requires secure, TLS-encrypted connections for all application traffic.
SOC 2® Reporting
The System and Organization Controls (SOC 2) is an industry-recognized attestation report given to a company after an audit of the company’s internal practices. Our report describes the controls and processes One Step GPS has in place to secure customer data and to ensure availability of our system.
One Step GPS's SOC 2 Type 2 report includes a description of our software infrastructure and the processes we have in place to keep our customers’ data safe and available. Some of the processes covered in our report are employee on-boarding and termination processes; internal access controls to production environments; and disaster recovery, data backup, and incident response processes. One Step GPS’s SOC 2 Type II report was provided by Johanson Group, LLP, a licensed and independent certified public accountant firm.
If you’re a current or prospective One Step GPS customer and wish to view the report, you can request a copy from your account representative.
Penetration Testing
In addition to our compliance audits, One Step GPS engages independent entities to conduct application-level, infrastructure-level, and hardware-level penetration tests bi-annually. Results of these tests are shared with senior management and are triaged, prioritized, and remediated in a timely manner. Customers may receive executive summaries of these activities by requesting them from their account executive.
One Step GPS highly values and encourages a close relationship with security researchers. The work done by the security community improves the security of our product offerings and we encourage their participation in our responsible reporting process.
Redundant, Highly Available InfrastructureOne Step GPS’s service is a distributed system designed to spread computation and data across multiple physical servers. Every customer’s data is replicated across multiple servers and storage appliances, so that hardware failure will not compromise service availability or customer data. Networks are multi-homed across a number of providers to achieve Internet access diversity.
Datacenters are equipped with advanced fire detection and suppression equipment, including protection by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
One Step GPS is designed for rapid failover in the event of a hardware failure or natural disaster. And One Step GPS sensors and gateways are equipped with on-board storage to save data locally in the event of a cloud service interruption, and will automatically upload buffered data upon service resumption.
Security Tools for AdministratorsOne Step GPS provides administrative tools to protect your organization’s data, including user management with email verification, authentication audit logs, and two factor authentication. Moreover, One Step GPS enforces robust user authentication, with data access requiring authentication via One Step GPS’s centralized server (no default passwords or shared secrets).
Internally, One Step GPS authorizes access to Customer Data based on the principles of least privilege and segregation of duties. One Step GPS uses role-based access privileges to assign access to key systems. In order to access the production environment, an authorized One Step GPS user must have a unique username and password, multi-factor authentication, and be connected to One Step GPS's Virtual Private Network. Access is automatically deprovisioned for employees switching roles or leaving the company. One Step GPS uses a log monitoring system to track events for crucial systems in order to identify anomalous or unauthorized login, configuration, or security-group management events quickly.
Security and Disclosure PolicyOne Step GPS is dedicated to upholding the highest standards of security for our platform and openly working with the security community. Our vulnerability disclosure policy aims to provide a way for external researchers to report and remediate security issues. One Step GPS encourages security researchers to discover and report to One Step GPS any vulnerabilities they find in a responsible manner. One Step GPS expressly prohibits security researchers from performing actions that may negatively affect One Step GPS or its customers; accessing, destroying, corrupting (or attempting to access, destroy, or corrupt) data or information that does not belong to them; or social engineering any One Step GPS customer or employee.
Reporting Security IssuesIf you have a security concern. We ask that you not share or publicize an unresolved vulnerability with/to third parties. You can find out more on vulnerability disclosure policy.
Depending on the severity and impact of your submission, you may qualify for a reward.
Details here.