Security

was built to solve North America’s transit challenges. We transform your transit system to make it convenient to ride and cost-effective to operate.
Home

Security at

Built Secure. Built for Enterprise.

At , we prioritize security from the inside out by implementing stringent controls and procedures that safeguard the confidentiality, integrity, and availability of our infrastructure and customer data. We adhere to the highest security standards, aligning with NIST 800-53, and maintain robust policies to ensure that our people, processes, and technologies consistently meet compliance requirements.

SOC 2 Type II Certified

is SOC 2 Type II certified, which means an independent CPA-certified auditor has verified that we have established and consistently maintained the necessary controls to mitigate risks related to the security, availability, and confidentiality of our organization and customers' data. For an overview of our security measures, you can request a copy of our SOC 2 report by emailing us at security@rideco.com.

A Secure Organization

At , security is a shared responsibility across the organization. As part of our onboarding process, and annually thereafter, all employees are required to complete mandatory training on privacy, data protection, and security. We continuously monitor employee devices to ensure compliance with 's security protocols, and every employee contract includes strict confidentiality clauses to safeguard sensitive information.

System Access and Authorization Controls

Access is strictly governed by the principle of least privilege, ensuring that employees are only granted the minimum level of access necessary to perform their tasks. Each client’s data is protected by a unique set of rotating credentials, which are granted exclusively to employees and systems involved in support and maintenance activities.

Secure Development Practices

's development team is trained in secure coding practices and the OWASP Top 10 most common vulnerabilities. All code changes are subjected to automated analysis and rigorous code reviews, ensuring that security flaws are identified and addressed before reaching production.

Security & Privacy Policies

has established a comprehensive set of corporate policies designed to maximize security for both our clients and our organization. These policies are regularly reviewed, at least annually, as part of our business continuity planning. Currently, has implemented the following security and privacy policies:

● Acceptable Use Policy

● Asset Management Policy

● Backup Policy

● Business Continuity Plan

● Change Management Policy

● Code of Conduct

● Cryptography Policy

● Data Classification Policy

● Data Deletion Policy

● Data Protection Policy

● Disaster Recovery Plan

● GDPR and GAPP policy

● Incident Response Plan

● Information Security Policy

● Password Policy

● Physical Security Policy

● Responsible Disclosure Policy

● Risk Assessment Program

● System Access Control Policy

● Vendor Management Policy

● Vulnerability Management Policy

These policies ensure that we are well-equipped to protect sensitive data, mitigate risks, and respond effectively to security incidents.

Protecting Your Data

’s software operates on a secure, enterprise-grade stack of operating systems, application servers, and database servers. The Cloud platform consists of multiple server pairs, providing a robust and scalable infrastructure. Each customer is provided with exclusive access to their own content management environment and dedicated database instance. We employ a layered approach to security, combining web, database, and application security practices that safeguard customers from external threats and ensure isolation between client environments.

Data Ownership

All data provided to remains the property of the original Data Owner. ’s products and services, methodologies, configurations, updates, intellectual property, architecture, algorithms, code, code snippets, code development, and all other information not publicly available pertaining to, of, or from remains under the sole ownership of .

Application Data Access

Applications are developed using ’s secure and tested application delivery framework, which enforces an authenticated secure session that allows for access restrictions at the field level on content objects. is functionally divided into three application instances: the Passenger, the Driver, and the Operations Center instance. People who wish to become a passenger and book their travel itinerary with have to register a Passenger user account. They make book rides (pickup, dropoff), and update their own personal information. Agency staff, partners, or contractors are assigned to the Driver application to service the requested rides - they are able to pick up and drop off passengers, as well as provide operational updates to Operations Center staff. Agency staff are onboarded into the Operations Center role as the administrative level provided to customers. These staff are permitted to update itineraries, make adjustments pertaining to vehicles and driver rosters, and address non-standard operational issues such as vehicle breakdown. Operations Center users enjoy a higher level of security through the enablement of SSO which allows Agencies to determine their own authentication best practices including but not limited to concepts such as strong, complex passwords, MFA, and conditional access. At all levels, these applications are secured according to ’s security and Privacy standards based on NIST 800-53, GDPR, HIPAA, and audited annually to verify correct operation through a SOC2 Type II audit.

Data Encryption

All data exchanged between the Cloud tiers is encrypted both in transit and at rest using robust, industry-recognized algorithms. Data in transit is secured with TLS, while data at rest is protected using AES-256 encryption. employs Amazon’s server-side encryption, which utilizes AWS-owned or AWS-managed keys stored in AWS Key Management Service (KMS) or S3. AWS services can also be configured to use customer-managed encryption keys via KMS or customer-supplied encryption keys.

Amazon server-side encryption employs one of the strongest block ciphers available, AES-256, to safeguard ’s data. For data in transit, the minimum acceptable standard is TLS v1.2. All public web properties, relevant infrastructure components, and applications utilizing SSL/TLS, IPsec, and SSH for encryption over open networks must possess certificates signed by a trusted provider.

Encryption keys generated, stored, and managed by are created and maintained securely to prevent loss, theft, or compromise, using a cryptographically secure random number generator (CSRNG) for key generation.

Backup and Support

has nightly backups in the event of an extreme disaster with widespread impact. has a 99.99%+ platform uptime standard, and our technical team offers 24/7 support for critical platform issues. Our system is configured to immediately notify our engineers of any issues such as downtime, and issues are often resolved before the end-user is affected or even aware of them. Additionally, our solution’s Recovery Time Objective (RTO) is typically 2 hours or less, but can be redefined during the contract. Recovery Point Objective (RPO) is 0-2 hours because of multiple availability zones and other replication databases. The infrastructure team, responsible for managing the Cloud platform, regularly tests the backup and restore procedures to ensure their effectiveness.

Business Continuity and Disaster Recovery

In addition to its robust backup and security protocols, has developed a comprehensive business continuity and disaster recovery plan. This plan outlines strategies to ensure the continuity of critical business operations in the event of unexpected disruptions, such as natural disasters, system failures, or cyber incidents.

The Business Continuity Plan includes detailed procedures for maintaining operations, communicating with stakeholders, and restoring services promptly. It also encompasses regular testing and updates to ensure its effectiveness and alignment with best practices.

For more information on our business continuity and disaster recovery strategies, please refer to the Business Continuity Plan document, which can be provided upon request.

Network Security

safeguards its cloud platform from inappropriate or malicious internet traffic through a multi-layered network defense strategy. This includes firewalls, network intrusion detection systems, and continuous 24/7/365 network surveillance, all supported by a robust incident response program.

The Cloud is fortified against network intrusions and attacks by a redundant pair of perimeter firewalls. Bi-directional rules meticulously control the flow of traffic to and from the Cloud platform, allowing only the packets explicitly necessary for delivering Cloud services. Only secure sessions that pass inspection by the perimeter firewall are permitted to access the Cloud platform.

Security Management

Monitoring

employs both internal vulnerability monitoring and external vulnerability scanning to proactively identify emerging threats and validate the effectiveness of its security controls, ensuring a robust security posture. The company conducts continuous internal scanning and package monitoring, complemented by external assessments, to maintain comprehensive visibility across its environment.

Security-related events are routinely logged and monitored by ’s firewalls and servers. Additionally, a monitoring daemon on each server tracks operational events, including host resource usage and environmental conditions. All alerts are forwarded to ’s Network Operations Center (NOC), where priority 1 alerts are immediately escalated by paging NOC staff.

At the NOC, trained network and system administrators monitor incoming alerts 24/7/365, verifying each alert before initiating the appropriate response. This proactive approach ensures that potential issues are addressed swiftly and effectively.

Vulnerability Testing

The Cloud platform undergoes regular vulnerability assessments and penetration tests to ensure its security integrity. Additionally, ’s clients periodically conduct their own load and penetration tests. Some clients, particularly those in government and cybersecurity, take extra measures by reviewing every line of code annually.

All identified security vulnerabilities are promptly addressed within the core software as needed. Clients, especially those with city contracts, often engage third-party firms to perform penetration tests on the Cloud platform. Any non-compliance issues found in either the core software or the cloud platform are prioritized for immediate resolution.

Responsible Disclosure

At , we recognize the crucial role independent security researchers play in enhancing the security of our products. We encourage the responsible reporting of any vulnerabilities discovered in our software. In our collaboration with security researchers, we advocate for responsible disclosure and ask that you allow us the opportunity to respond to and resolve security issues before any details are made public. For comprehensive information, please refer to our Responsible Disclosure page by contacting us at

Vulnerability Remediation / Patch Management

To mitigate vulnerabilities before they can be exploited, employs a proactive patch management strategy alongside periodic internal penetration tests. We continuously monitor security bulletins for new threats that may affect the Cloud. When new security patches become available, they are first evaluated for their relevance to the Cloud Platform. Relevant patches are then tested on QA and staging servers for a minimum of two days before being applied to production servers. Additionally, routine vulnerability scans are conducted semi-annually to further enhance our security posture.

Security Incident Management

has a dedicated and systematic process for addressing security issues, which are prioritized over other types of concerns. During incident investigations, if the Network Operations Center (NOC) staff determines that an attack is either underway or has occurred, they will take immediate actions to quarantine IP addresses and disconnect sessions as necessary to contain the incident and prevent further damage.

If needed to mitigate the attack or safeguard customer data, we may temporarily disable customer accounts or databases. The Service Manager assigned to each affected customer account will reach out to discuss the incident, the actions taken, and the impact on that customer’s operations.

Notification

assesses the severity of issues using the industry-standard Common Vulnerability Scoring System (CVSS), which is employed by all modern scanning and continuous monitoring systems. The CVSS enables the capture of a vulnerability’s characteristics and generates a numerical score that reflects its severity. This numerical score is then translated into qualitative categories (such as low, medium, high, and critical), helping organizations effectively evaluate and prioritize their vulnerability management efforts.

Security Contact

If you have questions or need additional information, contact .

³հշ
Get the latest on what's new at and the transit industry.
Entering your email, you agree to receive emails from .
PRODUCTS
Passenger AppDriver AppOperations CenterData InsightsProfile Manager
ParatransitUnderperforming Bus RoutesEmployee CommutingFirst/Last MileLong-Distance CommutingLow-Density Area Mobility
COMPANY
About UsCase StudiesCareersContact UsTech PartnersFleet PartnersConsultants
RESOURCES
ResourcesDriver TermsRider TermsPrivacy PolicySecurityAccessibility PolicyResponsible Disclosure Program
© 2025
Looking to remove the Passenger App? View our step-by-step instructions