Our data security promise

You’re entrusting Truck-Right Data Management Inc. (“TruckRight”) with your employees’ private data, and we take that responsibility very seriously. Data security is paramount not only to our software itself but to our core values as a company. It permeates everything we do. Below are the extensive policies and staff training we have in place to ensure the highest standard of security for our people, infrastructure and client data.

Our data security promise

You’re entrusting Truck-Right Data Management Inc. (“TruckRight”) with your employees’ private data, and we take that responsibility very seriously. Data security is paramount not only to our software itself but to our core values as a company. It permeates everything we do. Below are the extensive policies and staff training we have in place to ensure the highest standard of security for our people, infrastructure and client data.

Part 1 – Purpose of this Document

This policy is mandatory for all TruckRight employees. It is how we define the process, governance and behavioural controls that protect the security and integrity of our clients’ confidential information. All TruckRight employees must be familiar with both the policy (or “Policy”) and its procedures.

This Policy defines security requirements for:

  • All TruckRight employees, contractors, any other third parties engaged by TruckRight (“employees”).
  • Circumstances in which TruckRight is required by law to provide a contractual or fiduciary duty to protect any data or resources in its custody.
  • Any and all hardware and software systems, both onsite and offsite, which are used to create, maintain, access, store or transmit information on behalf of TruckRight and its Clients. These include systems owned by TruckRight, systems connected to any network controlled by TruckRight, and any third-party system used in service of TruckRight’s business.

About TruckRight

TruckRight is a Software as a Service (SaaS), offering an Applicant Tracking System (ATS) and automated safety and compliance management tools, including online employee and driver qualification files, and a Learning Management System (LMS) to facilitate e-learning. TruckRight captures any data required for the completion of a driver job application, including but not limited to signed documents and identification information, such as a driver’s license. It is compliant with all applicable regulations.

Executive Oversight

This Policy was created and approved by TruckRight executives. It is reviewed and updated in order to ensure clarity, sufficiency of scope, concern for Client and employees interests, responsiveness to the evolving security landscape, and industry best practices.

Our Security Team

The TruckRight security team bears full responsibility for the enforcement of this Policy, including

  • All operational duties related to privacy, access and confidentiality
  • Maintenance, provisioning, procurement, reclamation of company assets and retirement
  • Continuous risk management, vulnerability assessment and incident response
  • Security-related employees training and human resources management.

Risk Management

We maintain a Risk Management Framework based on NIST SP 800-39 “Managing Information Security Risk: Organization, Mission, and System View” and “NIST SP 800-30- Guide for Conducting Risk Assessments.” Risk assessment exercises are used to define priorities for improvements to TruckRight’s security.

The following makes up our Risk Management Framework:

  • Policy for determining current risks and their potential severity
  • Rapid identification of relevant potential threats
  • Systems for testing the effectiveness of current TruckRight controls
  • Action plan for risk response management

Additions and Changes

This document defines the minimum specifications and security criteria that have been implemented by TruckRight to safeguard its customer information. These Standards are subject to additions and changes without warning by Truck-Right Data Management Inc. These Standards do not supersede any legislative or regulatory requirements that may be in force.

Part 2 – Standards for Employees, Offices and Systems

TruckRight is committed to preventing illegal actions from harming its Clients, employees, partners and the company itself. To that end, we have defined security-related employee behaviours in this section. We have also defined the acceptable use of computer systems at TruckRight.  Below are the rules we have enacted to prevent inappropriate employees behaviours that could pose security risks. These risks include cyberattacks which could compromise TruckRight’s systems, and security-related legal issues.

Security Standards for Employees

Our employees are the front line in preventing any security breaches. To that end, we have defined security standards to empower them with the ability to keep all data safe and secure. These standards include those listed in this section, in addition to any requirements specified in other TruckRight policies.

Employee Training

All staff must complete TruckRight security training, including data handling, prior to beginning any work. Additional training may be required. For example, developers are required to complete Secure Coding training.


As TruckRight is a paperless environment, employees must take extra care to ensure confidential material is correctly stored on authorized TruckRight devices. These devices should be locked and secured at the end of each workday, or whenever employees are away from their workspace.

Use of TruckRight Devices

Only TruckRight-managed hardware and software are authorized to be connected to, or installed on, corporate equipment or networks used to access TruckRight data. Only software that has been approved for corporate use by TruckRight may be installed on TruckRight-owned devices. No modifications are permitted without explicit written consent by the TruckRight security team. Systems are to be used strictly for company business. Employees are required to use good judgement before using TruckRight systems for reasonable personal use.

Device Security

All TruckRight devices employ an automatic screen lock function, which is triggered after fifteen minutes of inactivity or less. Personal mobile devices, such as phones, must be stored in a purse or bag while at work. Personal mobile devices may only be used in authorized areas (such as the break room).

Use of Cloud Storage, Backups, and Removable Media

TruckRight data should only be saved to secure storage systems which have been approved for use by the company. This is to ensure that in the event of damage, loss, or theft of a company-owned device, this data can be protected and recovered. Employees are strictly prohibited from using removable media devices, such as USB drives. Employees are also strictly prohibited from making backups or copies of any and all TruckRight data.

TruckRight Visitors and Unrecognized Persons

Preventing unauthorized persons from entering TruckRight premises is the responsibility of all employees. All visitors to the TruckRight offices must sign in at the front desk, and be accompanied by a TruckRight employee at all times. Any visitors or unrecognized persons found a restricted office location should be confronted by employees. If that person does not respond appropriately, they should immediately be reported to TruckRight security. If necessary, law enforcement should be called.

Prohibited Activities

The list below outlines activities which fall into the category of unacceptable use. Employees may be exempted from some of these restrictions with the explicit written consent of the TruckRight security team.

  • Under no circumstances should employees of TruckRight use TruckRight-owned resources for any illegal activity.
  • Employees must never violate, or attempt to violate, the terms of use or license agreement of any software product used by TruckRight.
  • Employees should consult management before the export of software, technology or any technical information.
  • The use of any software product that has not been appropriately licensed for use by TruckRight (including pirated software) is strictly prohibited.
  • Employees must never share their account password, or allow use of their account, with colleagues. When work is being performed remotely, employees must never allow use of their account or share their account password.
  • Employees must never make fraudulent offers of services or products from any TruckRight account.
  • Unless part of their normal job duties, employees must never make statements about warranty, either expressly or implied.
  • Employees must take care to never introduce malicious programs, such as viruses or Trojan horses, into the TruckRight server and network.
  • Employees must never cause security breaches or disruptions of network communication (EG. network sniffing, denial of service, forged routing). Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account without authorized access.
  • Any software designed to discover software and network vulnerabilities should only be used by, or under the direct supervision of, the TruckRight security team.
  • Unless it is part of the employee’s explicit job duties, employees must never perform any form of network monitoring which will intercept data not intended for the employee’s host.
  • Employees are strictly prohibited from circumventing user authentication or security of any host, network or account or attempting to break into an information resource or to bypass a security feature.
  • Employees must never interfere with or deny service to any other user.
  • Employees are strictly prohibited from installing software which installs or includes any form of malware, spyware, or adware as defined by the security team.
  • Deliberately crashing an information system is strictly prohibited. Users may not realize that they caused a system crash, but if it is shown that the crash occurred as a result of user action, a repetition of the action by that user may be viewed as a deliberate act.
  • Employees are prohibited from attempting to subvert technologies used to affect system configuration of company-managed devices.

Encryption of Data and Devices

TruckRight servers and production environments use full-disk encryption to protect data in the event of a lost, damaged or stolen device. Encryption is performed by either Microsoft Bitlocker or Apple FileVault 2 using XTS-AES-128 encryption with a 256-bit key, and enforced using MDM software.

Centralized System Configuration

MDM software (configuration-enforcement technology) is used by the TruckRight security team to manage all employees devices. This software may be used to manage network configuration, and to perform auditing/installing/removing software applications or system services, remote wipe & recovery, copying data files to/from employee devices, and any other allowed interaction to ensure that employee devices comply with this Policy.

Device Heartbeat and Remote Wipe

All TruckRight devices must have the ability to be remotely wiped and to report their status.

Antivirus/Antimalware/Endpoint Protection

All TruckRight devices must be configured to automatically install TruckRight-provided antivirus software for endpoint protection. This software will be used by the security team to administer and report any potential threats.

Removable Storage

MDM software must be used to prevent the usage of removable storage on all TruckRight devices.


Any and all data, programs and documents which are created by TruckRight employees are the property of TruckRight, unless otherwise covered by a contractual agreement.

Privacy of Employees

While TruckRight aims to provide a reasonable level of privacy, employees should be aware that the data they create on TruckRight systems remains the property of the company. Employees should structure all electronic communication with recognition of the fact that the content could be monitored and that any electronic communication could be forwarded, intercepted, printed, or stored by others.

Any questions regarding the above should be directed to the TruckRight security team. TruckRight reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

Security Training

All employees are required to complete a security training program before starting employment. This program is administered by the TruckRight security team, and covers all TruckRight security policies and procedures.

Employee Background Checks

TruckRight conducts background checks on all employees prior to their start date. Any background check that uncovers problematic issues, such as a criminal record, may result in a revocation of an employment offer.

Employee Separation

In the case of employees termination or resignation, the security team works with human resources to execute a separation process to ensure that all accounts, credentials, and access reliably disabled.

Office Security Measures

TruckRight offices are controlled access environments. All doors are either staffed by a dedicated employee or locked from the outside. Employees may access the office via a security card scanner. Employees are also required to carry their security card at all times. When necessary, the security team may agree to have a door unlocked in order to accommodate extenuating physical access needs. This will only be done for a short period of time, and will be monitored by time-stamped security cameras.

Office Internet

Wired ethernet and WPA2 Wi-Fi will be used to provide the TruckRight office with internet access. A network firewall is in place to block all WAN-sourced traffic. Networking switches and routers have been placed in a locked networking closet. Only the TruckRight security team has access to this space. Access to the networking closet may be granted, by the security team and TruckRight executives, on a case-by-case basis.

Employee Accounts and Authentication

All TruckRight employees have a unique user account/user identity in order to access TruckRight systems. Each account has a unique username, a two-factor authentication (2FA) system and a unique strong password of at least 8 characters.

Accessing TruckRight Systems

TruckRight systems must only be accessed by TruckRight-managed devices. Repeated failed attempts to authenticate may result in a user’s account being locked or revoked.

Part 3 – Access Management

Access Control

The principle of least privilege is employed by TruckRight to monitor the action of all user accounts. Each attempted action is subject to access control checks. The role-based access control (RBAC) model is used by TruckRight. This is mobilized via user accounts and groups, control sharing, and organizational units. Only security team members will have access to administrative operations, under the principle of least privilege.

Web Browsers

The use of a specified web browser at TruckRight may be necessary for normal business use. Certain roles, such as software development and web design, may require the use of a variety of browsers. Employees in these roles may do so as needed, and for those activities. These browsers will be subjected to whitelist-based restriction.


The TruckRight security team will follow the company’s employees exit procedure, regardless of whether the termination of employees was voluntary or involuntary. The exit procedure entails revocation of the associated user account and reclamation of company-owned devices, office keys or access cards, and all other company property prior to, or on, the final day of employment.

Part 4 – Technology

Software Development

TruckRight software was developed using the Agile methodology and industry best practices on security, as well as by our commitment to the OWASP Top Ten guidelines.

TruckRight software undergoes rigorous testing, with automated processes which allow our team to rapidly improve each new iteration. The TruckRight development team is committed to continuous product improvement via the integration of new technologies.

TruckRight source codes and configuration files are stored in private GitLab repositories. Routine conduct code reviews and static code analysis are performed by the security and development teams. Compliance is performed by the review team to ensure that TruckRight’s conventions and style, performance, and potential issues are maintained and identified.

The security team will perform security reviews on every code commit to security-sensitive modules. These include, but are not limited to, modules related to access control, authorization, authentication and encryption.

Any and all open-source software libraries will be reviewed by the TruckRight security team before they are utilized. They will be tested to ensure their level of performance and stability is suitably secure.

The security and development teams adhere to a formal software release process. Sensitive data that does not need to be decrypted (e.g. passwords) is salted and hashed using approved functions such as PBKDF2.

Sensitive data which must be decrypted (e.g. tokens) must use an approved encryption provider for HSM functions, such as Azure Key Vault.

Configuration Best Practices

The configuration of any and all adopted systems will be documented by the TruckRight security and development teams. The security team will also be responsible for reviewing these configurations annually or less. The security team lead and TruckRight executives will be responsible for the approval of any changes to these configurations. Any and all system configurations will be guided by industry best practices.

All system configurations must adhere to the following controls, in a risk-based fashion and in accordance with this policy:

  • Malware detection and resolution
  • Capturing event logs
  • Authentication of administrative users
  • Removal or disabling of unnecessary software and configurations
  • Access control enforcement
  • Data-at-rest protection encryption
  • Data and file integrity
  • Data-in-transit protection of confidentiality, authenticity, and integrity for incoming and outgoing data
  • Data and file integrity
  • Allocation of sufficient hardware resources to support loads that are expected at least one year into the future.
  • No production data should ever be used in development or test systems.

Third-Party Services

The TruckRight security team will review every potential third-party service prior to adoption by the company. This will be done to ensure that the service’s security profile is suitable for the level of data the service will access or store.

Microsoft Azure

TruckRight is hosted on the Microsoft Azure cloud computing platform, providing extraordinarily high standards in security, privacy, compliance, resiliency, and protection of intellectual property.

The Microsoft Azure secure data facility has received SOC1 Type II audits and has issued SOC2 and SOC3 reports audited against the AICPA standard. The data centre is staffed 24/7/365 with access restricted to authorized employees only.

You can learn more about Microsoft Azure here:


Fully Managed by TELUS Business

TruckRight taps into managed IT services by TELUS, providing world-class 24×7 IT support.

You can learn more about their FM Elite managed services here: https://www.fullymanaged.com/solutions/digital-business/managed-it/

Barracuda XDR

TruckRight protects our clients against cyber threats with Barracuda XDR, offering 24/7/365 threat monitoring, multilayered data security and a comprehensive global threat indicator repository.

You can learn more about Barracuda XDR here:


Part 5 – Data Classification and Processing

Data Security Classification

The following Data Confidentiality Levels are practised by TruckRight:

  • Public – Information can be accessed on the public-facing website.
  • Internal – Information is limited to all employees and authorized third parties. Data is required to be encrypted.
  • Restricted – information is limited to specific roles within the organization and authorized third parties. Data must be encrypted at rest and in transit. Access to data requires 2FA/MFA.
  • Confidential – Information only available to specific roles within the organization. Data must be encrypted at rest and in transit. Access to data requires 2FA/MFA.

Data Confidentiality levels are determined by:

  • Policy and contractual obligations.
  • Legal and regulatory obligations.
  • Sensitivity of the information, based on the highest possible risk calculated during the risk assessment.
  • The value of the information, based on highest possible impact calculated during the risk assessment.

As an extra precaution and in respect with processing rules, different data type classifications may be used to separate data. The TruckRight security and development teams may dedicate specific information systems in Microsoft Azure to store and process data of each class, and only data of that class, unless otherwise defined. In order to keep each Client’s data segmented, corresponding systems may be required to process and store data items. Regardless of classification, data must be encrypted both at rest and in transit.

The different data classifications are as follows:

Client Contact Data contains contact information of TruckRight Clients.

Client Preferences Data is in regards the Client-specific configurations, completed by Client agents, of the TruckRight service.

Client User Account Data is in regards to login accounts for the TruckRight service of Clients, used by TruckRight Client agents. All user account credentials are to be hashed in such a manner that the plaintext passwords cannot be recovered.

Client Event Transaction Metadata is metadata regarding transactions conducted on all other classes of Client data. This includes Client organization and user identifiers, Client Contact Data and Client Preferences Data, and standard Syslog data. This class does not include Client Recorded Data.

Client Recorded Data is processed by TruckRight during session recording.

Client Preferences Data, Client Event Transaction Metadata, and Client Contact Data may be housed and processed in systems hosted in environments other than Azure, as approved by the TruckRight security team.

All resources must maintain accurate data classification tagging policies for their entire lifecycle, including when temporarily removed from service and decommissioning.

Access to Client Data by TruckRight Employees

Client Data may be accessed by TruckRight employees under the following conditions only.

  • From TruckRight-owned or approved devices.
  • In an auditable manner.
  • For the purpose of Client support/incident response.
  • Client data is never used in development or test systems.
  • For only as long as needed to fulfill the purpose of access.

Client Access

Web user interfaces (UIs), application programming interfaces (APIs), and data export facilities are provided by TruckRight in order for Clients to access their own data.

Exceptional Circumstances

When and if necessary, exceptions to any of the above rules may be approved by TruckRight executives and the security team. This will only happen under extenuating circumstances, and if it is ruled that an exception will be help protect the security of TruckRight Clients and the company. Examples include a prolonged service outage, natural disaster or security incident.

Data Protection and Encryption

In order to maintain a robust host security posture, our web servers are configured to expose only essential ports, effectively minimizing attack surfaces. The SQL server database is deliberately isolated from public access to mitigate unauthorized data exposure risks. Disk-level encryption is implemented using Storage Service Encryption (SSE) with Client-managed keys (CMKs), ensuring data at rest remains secure. Furthermore, secure remote connectivity to the machines is established via Virtual Private Network (VPN) tunnels, adding an extra layer of defence against unauthorized intrusion attempts.

Anti-virus and real-time file protection are enabled on the server through the use of CylancePROTECT, providing comprehensive security against potential threats and malicious activities.

TruckRight protects all data in transit with TLS 1.2 and all data at rest with AES-256 encryption. Cryptographic keys are assigned to specific roles based on least privilege access and keys are automatically rotated yearly. The usage of keys is monitored and logged. In addition, uploaded documents are encrypted using GNU Privacy Guard and Databases are safeguarded with Transparent Data Encryption(TDE) and certain sensitive information in the database is encrypted using a Symmetric Key

Resources must maintain data encryption at rest and in transit for their entire lifecycle, including during decommissioning or when removed from service temporarily.

Security Quality Assurance

Security QA testing for the application is performed. For example, testing of authentication, authorization, and accounting functions, ensuring there are no cross-site scripting, SQL injection or other OWASP Top Ten vulnerabilities, as well as any other activity designed to validate the security architecture.

Common vulnerabilities such as cross-site scripting and SQL injection attacks, etc. are accounted for and handled at the Network and Application layers. Through the use of various vulnerability scanning tools (Acunetix, Nikto, Watcher, etc.), issues are tested for and mitigated as part of the application development process, and a level of confidence is obtained that the application is reasonably secure against malicious threats.

Data Retention

Any data housed in TruckRight is the property of each individual Client. Each individual Client has access only to their own data. Each Client is responsible for the information they create, use, store, process and destroy.

On the expiration or cancellation of service, or at a Client’s request, their data is provided to them in a format as determined by TruckRight. TruckRight deletes all Client data in accordance with applicable law as soon as reasonably practicable, unless applicable law or regulations require otherwise.

Data Residency

Our data facility, which houses the infrastructure and the TruckRight client data, is located in Canada Central or the Central US, depending on each client’s home location.

Data Sanitization and Secure Disposal

TruckRight uses Microsoft Azure services for all infrastructure. Azure provides the following guidance regarding their data lifecycle policies:

If a disk drive used for storage suffers a hardware failure, it is securely erased or destroyed before Microsoft returns it to the manufacturer for replacement or repair. The data on the drive is completely overwritten to ensure the data cannot be recovered by any means.

When such devices are decommissioned, they are purged or destroyed according to NIST 800-88 Guidelines for Media Sanitation

When Clients delete data or leave Azure, Microsoft follows strict standards for deleting data, as well as the physical destruction of decommissioned hardware. Microsoft executes a complete deletion of data on Client request and on contract termination. For more information, see Data Management at Microsoft.

Database-Per-Tenant Architecture

TruckRight’s database-per-tenant architecture means that data is encrypted and stored in each Client’s own individual database, preventing any bleeding of data. Their data is owned by them and remains separate at all times.

Furthermore, each Client decides how much access each of their users has to sensitive information. Permissions are assigned to team members based on your specific requirements.

TruckRight Password Policy

Our password policy enforces a minimum length of 9 characters and requires a “Strong” or higher password strength rating for acceptance. We assess password strength using pattern matching and conservative estimation techniques, considering factors such as common passwords, popular names and surnames from US census data, frequently used English words from Wikipedia, US television and movies, and typical patterns like dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak.

TruckRight Account Passwords

TruckRight accounts are generated only by an admin user. When the TruckRight service is set-up, an admin user is created, by TruckRight personnel, using the information provided by the customer. The admin user can create users as necessary. When an account is created for such a user, the admin would follow internal procedures to provide password information.

In addition, accounts can be created using an option called an “Access Point”. This method creates an account for the applicant using the email address on file. Only one account can be created per email address. An email is sent containing a token from which the recipient can access their new account.

The user is required to set up three security questions and provide a new password and confirm it before moving further. The user can then login to their  account.

TruckRight Account Password Resetting

When a user forgets their password, they have the capability to reset it by using an option called Forget Password. This option sends the user a token to the email address within the user profile, allowing the user to create a new password. The security questions that were set up when the account was initially created will be used to confirm the identity.

Part 6 –  Vulnerability and Incident Management

Detection and Response of Vulnerability

Below is every measure which will be used by the TruckRight security and development teams to prevent any vulnerabilities in TruckRight’s information systems.

  • Frequent vulnerability scanning on TruckRight services.
  • Code reviews performed on every security-sensitive code commit.
  • Automated source code scanners performed on every code commit.
  • Cross-checking all systems and software used to support TruckRight services across vulnerability databases.
  • Annual penetration testing performed by an independent provider.

The TruckRight security team is responsible for determining the severity of any detected vulnerability, in terms of the potential impact of an exploit. The TruckRight security team is also responsible for developing strategies and schedules for mitigations, such as implementing compensating controls.

Detection and Response of Incidents

The TruckRight Incident Response Policy has been implemented by the security team. The policy is made up of the following steps:

  • Preparation
  • Identification
  • Containment
  • Investigation
  • Eradication/recovery
  • Follow-up/post-mortem

The TruckRight security team will use the following methods for security incident detection.

  • Continuous monitoring for unauthorized or malicious activities across network traffic
  • Continuous monitoring for unauthorized or malicious activities across logs
  • Respond to notices from employees, contractors, or external parties of potential incidents.
  • Conduct reviews on any service outages for the cause(s)

A determination will be made by the TruckRight security on whether every indicator represents an actual security incident. Every incident will be evaluated for severity, scope, and root cause. Finally, the security team will resolve every incident in a manner and timeframe commensurate with its scope and severity.

TruckRight will maintain communication with the Client about any data breech which affects them, specifically where the severity, cause, and resolution of the breach are concerned.

Part 7 –  Disaster Recovery and Business Continuity

Availability and Resiliency

TruckRight services shall be configured to withstand long-term outages to individual servers, availability zones, and geographic regions. TruckRight infrastructure and data is replicated in multiple geographic regions to ensure this level of availability.

Business Continuity and Disaster Recovery

In the event of a security incident affecting customer data, there are processes in place to ensure that the incident is addressed effectively. Our client would be informed immediately of such an incident and would be kept informed on the actions taken to rectify the issue. An investigation would be conducted to determine the extent of the incident, how it occurred and what could be done to prevent further occurrences.

The system is monitored on a 24/7 basis for such incidents and every measure is taken to proactively prevent them.

System and data backups are executed on daily and weekly schedules using a dedicated connection to the hosting provider tape backup infrastructure. The time required to restore the backup data can vary based on the usage of the network at the time of restoring the data.

Business Risk Assessment and Impact Analysis

A business risk assessment and impact analysis will be performed on all systems used by TruckRight by the risk assessment committee. This will assist in the creation/update of recovery plans for all of TruckRight’s systems, and determine which systems should receive priority attention.

Emergencies and Remote Work

In the event of an emergency situation (such as a natural disaster), TruckRight will enable all policies and equipment available to allow for safe, secured remote worksites for its staff.

Emergency Notification and Communication

In the event of an emergency situation, TruckRight employees will be notified via our internal communications system, housed on secure providers. Employees will be also be notified in the event that a data recovery plan is initiated or deactivated.

Have any questions about security?

The safety and security of our clients’ data will always be TruckRight’s top priority. If you have any questions or concerns, please reach out to [email protected].

Get started
with TruckRight

Let’s Go

Find out how our platform can help you accelerate hiring, automate compliance, and manage your people efficiently.