Security Overview
This Veho Security Overview (“Security Overview”) is intended to provide transparency about how we protect your data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.
1. Definitions:
“Services” means, for the purposes of this Security Overview, collectively, the Veho Services, which includes the parcel delivery platform.
2. Purpose:
This Security Overview describes Veho’s security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services. As security threats change, Veho continues to update its security program and strategy to help protect Customer Data and the Services. As such, Veho reserves the right to update this Security Overview as needed. Any update will not materially reduce the overall protections set forth in this Security Overview. This Security Overview does not apply to any communications services provided by telecommunications providers.
3. Security Organization and Program:
Veho maintains a risk-based assessment security program. The framework for Veho’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Veho’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Veho’s business operations. Veho has a separate and dedicated Information Security team that manages Veho’s security program. This team also facilitates and supports independent audits and assessments performed by third parties. Veho’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with Veho’s Chief Technology Officer (CTO) meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Veho employees for their reference.
4. Confidentiality:
Veho has controls in place to maintain the confidentiality of Customer Data. All Veho employees and contract personnel are bound by Veho’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
5. People Security:
5.1 Employee Background Checks. Veho performs background checks on all new employees at the time of hire in accordance with applicable local laws.
5.2 Employee Training. At least once (1) per year, Veho employees must complete a security training which covers security best practices. Veho’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees.
6. Third Party Vendor Management:
6.1 Vendor Assessment. Veho may use third party vendors to provide the Services. Veho carries out a security risk-based assessment of prospective vendors before working with them to validate they meet Veho’s security requirements. Veho periodically reviews each vendor in light of Veho’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal or regulatory requirements.
6.2 Vendor Agreements. Veho enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
7. Security Certifications and Attestations:
As of July 27th, 2023, Veho has been certified to the ISO/IEC 27001:2013 standard for the information security management system supporting our parcel delivery platform including Veho’s Consumer and Driver mobile applications and package tracking website. This certification was provided by the ANAB and UKAS accredited, independent auditing firm, Schellman.
Veho’s ISO 27001 certification can be verified in Schellman’s directory: https://www.schellman.com/certificate-directory?certificateNumber=1195292-1
8. Hosting Architecture:
8.1 The Veho Services are hosted on Amazon Web Services (“AWS”) in the United States of America and protected by the security and environmental controls of Amazon. More information about AWS security is available at https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/shared-responsibility-model/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.
8.2 Services. For the Services, all network access between production hosts is restricted through the use of regularly reviewed access control lists. Veho has established technical controls to logically separate and maintain confidentiality of Customer Data in order to prevent other customers from having access to Customer Data.
9. Physical Security:
AWS data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Veho headquarters, office spaces, and warehouses have a physical security program that manages visitors, building entrances and overall security.
10. Security by Design:
Veho follows security by design principles when it designs the Services. Veho also applies a Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews (i.e. internal security reviews by automated SAST tooling and manual review) before deploying new Services or code; and (b) threat models for new Services to detect potential security threats and vulnerabilities.
11. Access Controls:
11.1 Provisioning/Deprovisioning Access. To minimize the risk of data exposure, Veho follows the principles of least privilege through a team-based-access-control model when provisioning system access. Veho personnel are authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires approval. Access rights to production environments that are not time-based are reviewed at least annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. Access to Veho’s production environment is strictly controlled and monitored.
12. Change Management:
Veho has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.
13. Encryption:
For the Veho Services, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard and (b) Customer Data is encrypted when in transit between Customer’s software application and the Services using TLS.
14. Vulnerability Management:
Veho maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Veho uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Veho’s cloud infrastructure and corporate systems. Software patches are evaluated, tested, and applied on an ad hoc basis based on criticality.
15. Penetration Testing:
Veho engages independent third-party entities to conduct network and application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. Veho maintains a Vulnerability Disclosure Program, which allows independent security researchers to report security threats and vulnerabilities on an ongoing basis.
16. Security Incident Management:
Veho maintains security incident management policies and procedures in accordance with ISO27035. Veho’s Incident Response Team assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions.
17. Discovery, Investigation, and Notification of a Security Incident:
Veho will promptly investigate a Security Incident upon discovery. To the extent permitted contractually and by applicable law, Veho will notify Customers of a Security Incident.
18. Service Continuity:
Service Continuity. Veho also leverages specialized tools available within the hosting infrastructure for the Services to monitor server performance, data, and traffic load capacity. If suboptimal server performance or overloaded capacity is detected on a server, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Veho is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
18.1 Resilience. The hosting infrastructure for the Veho Services (a) spans multiple fault-independent zones in geographic regions physically separated from one another and (b) is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup
19. Customer Data Backups:
Veho performs regular backups of Customer Data, which is hosted on the AWS’ data center infrastructure. Customer Data that is backed up is retained redundantly in multiple locations and encrypted in transit and at rest using the Advanced Encryption Standard.