Last Updated: May 5, 2025
FourKites agrees that it shall take all reasonably necessary steps and security precautions in accordance with commercially reasonable industry standards to minimize the risk of unauthorized access to, or sabotage of, Company Data that is provided to FourKites.
FourKites will maintain and keep updated a security policy aligned to industry standards that contains procedures designed to protect the security of Company Data in electronic form while under FourKites’ possession, custody or control that cover the areas below.
a. Information Security Policy. Devise, update and monitor policies that are designed to protect FourKites’ information systems from loss, damage, unauthorized disclosure, or disruption of business, which includes the physical and logical protection of information systems including Company Personal Data that is processed or transmitted.
b. Organization of Information Security. Maintain an information security organization to coordinate the implementation of security.
c. Asset Management. Maintain procedures to identify, control, and maintain the security of FourKites assets and Company Personal Data.
d. Human Resources Security. Develop and implement policies and procedures that determine whether FourKites personnel and third parties are suitable for their roles and provide appropriate training and information so that FourKites users and third parties understand their IT security responsibilities in relation to Company Data.
e. Physical and Environmental Security. Implement measures which are designed to protect all FourKites information systems, and the Company Personal Data contained thereon with an appropriate level of physical security and suitable environmental controls. Provide measures for physical security surrounding information and information systems, as well as the supporting infrastructure, e.g., routers, switches, network cabling, end user systems, power, and environmental systems.
f. Communications and operations management. Operation of information systems and information processing facilities which contain Company Data using appropriate security measures. Maintenance of communications network and systems infrastructure including:
g. Access Control. Procedures which are designed to restrict access to information systems and Company Data, including providing user identification and access controls designed to limit access to Company Data to authorized users who require such access to carry out their role.
h. Information Security Incident Management. Develop and maintain procedures which provide an incident response plan and program in order to bring needed resources together in an organized manner to deal with and resolve an adverse event related to the security of FourKites’ computer infrastructure. Procedures shall include a means to notify Company without undue delay if any Security Incident affecting Company Data.
i. Compliance. Have in place procedures to ensure that FourKites’ information systems comply with local laws and regulatory requirements.
j. Specific Measures.
| Measure | Description |
| Measures of pseudonymisation and encryption of Company Data | FourKites use encryption to protect personal data, both while in transit and while at rest. All data in transit is secured using HTTPS TLS 1.2 (or greater). FourKites also encrypts data at rest using the industry standard AES-256 algorithm. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | FourKites performs monthly user access review on all FourKites processing systems. An Infrastructure vulnerability assessment and penetration testing is performed to identify and remediate the vulnerabilities. A periodic disaster recovery test is performed to test the recovery point objectives (RPO) and recovery time objectives (RTO). In addition, a backup integrity test is performed to validate the data backup at least once annually. We use both preventative and monitoring controls to enforce technical and administrative policies. FourKites requires all employees to undergo privacy training and adherence to company policies, (e.g., Data Protection Policy, Generative AI Usage Policy). |
| Measures for ensuring the ability to restore the availability and access to Company Data in a timely manner in the event of a physical or technical incident | FourKites services and applications are primarily hosted in Amazon Web Services (AWS), specifically in AWS US-EAST-1 region (N. Virginia), as well as a cloud presence in Azure. AWS offers a reliable platform for software services used by thousands of businesses worldwide. AWS provides services in accordance with security best practices and undergoes industry-recognized certifications and audits (see aws.amazon.com/security/ for more information). Microsoft Azure is also a large cloud platform that is used by thousands of businesses worldwide and has a large array of industry recognized certifications. https://learn.microsoft.com/en-us/azure/compliance/offerings/ FourKites has implemented high availability and redundancy as well as load balancing and failover clustering to maintain availability. A periodic disaster recovery test is performed to test the recovery point objectives (RPO) and recovery time objectives (RTO). In addition, a backup integrity test is performed to validate the data backup at least once annually. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | FourKites has a dedicated internal audit team that conducts internal audits periodically to identify and assess any process deviations and to take any corrective actions to mitigate risks. In addition, and as mentioned above, FourKites undergoes an external Service Organization Controls 2 (SOC 2) Type II audit annually to evaluate the effectiveness of the security controls that have been designed and implemented. |
| Measures for user identification and authorisation | FourKites uses a combination of Virtual Private Network (VPN) with Multi-Factor Authentication (MFA) and Single Sign-On (SSO), to grant access to internal support tools, infrastructure and data where Company Data resides. In addition, FourKites has defined a strong password policy that is strictly enforced, requiring all passwords to meet certain complexity requirements. All tools are reviewed periodically for compliance and security. |
| Measures for the protection of data during transmission | FourKites uses HTTPS with TLS 1.2 (or greater) to protect data in transit. |
| Measures for the protection of data during storage | FourKites uses industry standard AES-256 encryption to protect data at rest. |
| Measures for ensuring physical security of locations at which Company Data are processed | FourKites is a 100% SaaS company, born in the cloud. Even though FourKites has a few limited office locations, there are no FourKites physical locations where personal data could be stored. All data is either stored in the cloud or with our SaaS providers that support our business (e.g., AWS, Salesforce, HRIS systems, etc.). For personal data from FourKites services and applications, FourKites utilizes Amazon’s AWS and Microsoft’s Azure cloud environments. Both cloud services have a respective set of physical controls at their data centers, which are outlined here: https://aws.amazon.com/security https://learn.microsoft.com/en-us/azure/compliance/offerings/ |
| Measures for ensuring events logging | FourKites uses a centralized log aggregation system to consolidate and monitor logs from applications, platforms, cloud, and other network devices. It is designed and set up in accordance with security best practices, including logging of access and any system configuration changes. The centralized logging system is primarily focused on performance, user, and change management monitoring, and is used for troubleshooting our applications. |
| Measures for ensuring system configuration, including default configuration | FourKites performs periodic system configuration reviews on all processing systems to evaluate the configurations, services and default ports. Default configurations are flagged using automated monitoring from our internal security tooling, as well as quarterly reviews from our Security team. |
| Measures for internal IT and IT security governance and management | FourKites conducts periodic internal audits and an annual external SOC2 Type II audit to evaluate the effectiveness of security controls that are designed and implemented. In addition, FourKites conducts annual policy reviews and revisions, including both technical and administrative controls that are a part of FourKites Information Security Management Systems (ISMS) that is based upon the ISO 27001 framework. |
| Measures for certification/assurance of processes and products | FourKites undergoes each year an external SOC 2 Type II audit. This audit is focused on security to assess the effectiveness of security controls designed to protect personal and other types of data. In addition to the SOC 2 Type II audit, FourKites conducts periodic vulnerability testing at the a) endpoint, b) infrastructure, and c) container level. FourKites has integrated automated security scanning tools in CI/CD pipelines to ensure secure code deployment and compliance with security policies. FourKites has deployed a Use SIEM (Security Information and Event Management) solutions and real-time threat intelligence to detect and respond to security threats proactively |
| Measures for ensuring data minimisation | FourKites only collects personal information necessary to provide its services to its customers and restricts access to any type of Company Personal Data. FourKites limits access to data only to authorized personnel based on job roles and has implemented the least privilege principle to prevent unnecessary exposure. FourKites conducts regular audits to assess how data is collected, stored, and processed to ensure compliance with applicable privacy laws. We use both preventative and monitoring controls to enforce technical and administrative policies. In addition, FourKites requires all employees to undergo privacy training and adherence to company policies, (e.g., Data Protection Policy, Acceptable Use Policy). |
| Measures for ensuring data quality | All FourKites releases are rigorously tested and certified by a quality assurance (QA) team. The QA team uses automated test suites as well as manual testing techniques (including full regression testing) for all software releases. |
| Measures for ensuring limited data retention | FourKites only retains Company Personal Data for as long as it is strictly necessary to perform the services. With regards to personal data processed on your behalf, we retain the information for the duration of the relationship unless you instruct us otherwise. Upon termination of the Services, FourKites will securely destroy, within 90 days, all Company Personal Data (including copies) in its possession or control processed in the capacity of a processor. |
| Measures for ensuring accountability | FourKites has a dedicated Privacy and Security Team. They are responsible for securing governance, risk management, Access Controls and Monitoring, Training and Awareness and ensuring compliance with privacy and security standards by employees and third parties. FourKites has controls implemented to monitor and track user activities, including flagging stale, misconfigured accounts. FourKites uses logging and monitoring tools to track user activities, flag suspicious behavior, and maintain an audit trail for accountability. FourKites has implemented automated alerts for policy violations. |
| Measures for allowing data portability and ensuring erasure | Data subject request processes are in place to handle erasure and data portability requests. Customers may reach out to [email protected] in order to exercise their rights. |