No. Microlise Group Ltd is not classed as an SME (Small and Medium Sized Enterprise) under the EU definition as it has greater than 250 employees.

Microlise Group Ltd (1670983).

Yes. The Microlise Group of companies has locations in the UK, Australia, New Zealand, France & India.

Microlise Ltd does not transfer customer data between locations unless specified/agreed in the specific contract and/or data processing agreement.

Data is held within UK data centres however support is provided from Pune in India.

Technical support staff in Microlise India will have access to relevant information to provide the required support to customers where appropriate.

Yes. Registration Number: ZB240179.

Yes. Tick IT Plus, ISO 9001, ISO 20000 and ISO 27001 certified.  Certification evidence is available from UKAS (https://certcheck.ukas.com/).

Adding value to our customer’s operations using Artificial Intelligence (AI) and Machine Learning (ML) is part of Microlise Group’s roadmap. Some of its products already use AI, including both ClearVision AI Cameras and patent-pending Trailer Brake Performance Monitoring Systems (TBPMS). The Group is committed to expanding these advancements ethically across its portfolio of Fleet Compliance, Performance & Safety, Transport Management System (TMS), Planning & Optimisation (P&O), Journey Management, and Driver Connected Mobility Services.

The Group recognises the significance of responsible AI integration and follows the ethical guidance from the UK Government [1] and the European Commission [2]. It is committed to the guidelines, ensuring standards are applied throughout its portfolio. Through continual assessment, the Group ensures impartiality and fairness across all AI-powered offerings, thereby pre-empting biases, discrimination, and reinforcing the public’s confidence in the reliability and safety of all AI products developed by Microlise Group..

The optimisation engine powering the Group’s Planning & Optimisation (P&O) product is designed using mathematical models, optimisation methodologies, and heuristic algorithms. Consequently, it’s a transparent and explainable solution for tackling the complex challenges around vehicle routing for pick-up and deliveries, while continually re-calculating operational constraints based upon user data. P&O gives users complete control in adjusting and improving the suggested routing plans, providing them complete autonomy.

[1] UK Government: Navigating Artificial Intelligence Ethics and Safety: https://www.gov.uk/guidance/understanding-artificial-intelligence-ethics-and-safety

[2] European Commission: Fostering Trustworthy AI with Ethical Guidelines: https://digital-strategy.ec.europa.eu/en/library/ethics-guidelines-trustworthy-ai

No. Users and their access rights are administered locally to the Microlise application. Optionally, the Microlise application can be configured for single sign-on by integrating your Identity Provider with the Microlise Identity Provider cloud service. In this mode, new users are created when they access the Microlise application. Access rights management still takes place within the application itself.

The authentication repository is held in a database.
The schema is not available.
JDBC & ODBC connections are not permitted.
Stored Procedures are not available.
User Administration APIs (Application Programming Interface) are not available.
API (Application Programming Interface) access is logged in a central elastic instance.

Yes. The integration protocol that we use with a customer’s own identity provider for our Execution Board is SAML 2.0.

Yes. A policy and clear guidelines are available to all employees and contractors, describing the process for reporting violations of IS policies and other forms of breach and incident.

Yes. The customer is to be notified within 72 hours of initial detection and communicated with throughout the incident management process.

A copy of the incident management policy & process can be made available upon request.

No.

Yes. Microlise has a policy that is documented and maintained. This includes what happens when there is suspicion or identification of a security incident, how this is reported through Microlise and how the risk is isolated until resolved.

Yes. Microlise has a full complement of policies and procedures in place to fully manage and plan incident response. A copy of the relevant documents can be provided upon request.

Yes. We have policies and procedures for the effective logging, monitoring, detection, analysis and reporting of security events and incidents and the incident management activities relating to them. The TMC product has logging, and audit trails built in to show access. A copy of the relevant documents can be provided upon request.

Yes. These form part of our wider policies and procedures around incident management. Copies of the relevant documents are available upon request.

Yes. These form part of our wider policies and procedures around incident management. Copies of the relevant documents are available upon request.

Yes. Microlise utilise various monitoring tools and analyse and record the events they generate.

Yes, Microlise has both a business continuity plan and a disaster recovery plan.

We have scheduled offline backups that are stored securely and are tested regularly.
Video files are backed up daily and retained for 12 months.

Yes. Microlise has a policy that defines what information may be released and implement controls and monitoring to control the flow of data within the network and detect the unauthorised release of sensitive information.

• ISO/IEC 27001:2013 (INFORMATION SECURITY MANAGEMENT SYSTEMS)
• ISO/IEC 20000-1:2011 (INFORMATION TECHNOLOGY — SERVICE MANAGEMENT)
• ISO 9001:2015 (QUALITY MANAGEMENT SYSTEMS)
• TICKITPLUS FOUNDATION LEVEL

Yes. All controls and areas are audited for compliance at least annually. Results of these audits, along with any external audits, incident reports, tests, and feedback from interested parties are logged to aid in the continuous improvement of our processes and procedures.

Yes. We allow clients the right to auditing under the Master Service Agreement (MSA).

No. Microlise own and operate all equipment in the secure data centres – which are covered under the ISO27001 certificate. The data centre providers have an SOC report which is available upon request.

Yes, regular formal reporting arrangements are in place at board level or an equivalent senior responsible role.

Yes. A summary of recent test findings and remedial action can be made available on request.

Yes. Data provided by the client, in combination with publicly available data, is used for the telematics process. The relevant data for backup/disaster recovery and any relevant statistical analysis are stored as per our data handling policy and the contract agreed with the specific client.

Microlise uses Public & Internal data. The definitions are listed below:

• Public data: This type of data is freely accessible to the public (i.e., all employees/company personnel). It can be freely used, reused, and redistributed without repercussions. An example might be first and last names, job descriptions, or press releases.
• Internal data: This type of data is strictly accessible to internal company personnel or internal employees who are granted access. This might include internal-only memos or other communications, business plans, etc
• Confidential: Data is only to be shared held and processed by parties given access be the data owner.
• Secret: Data is held at a need to know, need to hold basis. Compromise of this data could lead to a negative impact with regards to company’s reputation, legal action, or financial loss.

No. However, Microlise DBA & TechOps staff in Pune will have access to support the service.

No. Microlise have two UK based Data Centres, all equipment is owned and operated by Microlise Ltd.

Yes. Microlise uses encryption technologies per industry governing standards, to protect the confidentiality of sensitive information both at rest and during transmission.

Data at rest is encrypted using AES256 encryption.
Data in transit is encrypted using SIPs (HTTPS, SFTP, etc.).
All Microlise databases use only secure connections and their associated log files are encrypted with a key.

Camera footage is stored securely on the DVR servers, on Enterprise level SANs located in our London data centres.

Video files are encrypted at rest. Access control to the DVR servers and role-based authentication in the Microlise WebPortal prevents unauthorised access to the videos.

Yes. This service is contracted through a third party vendor. Full details of the policies and process can be provided upon request.

Yes. Microlise has a policy and has designated roles within the organisation that guide managers, users and service providers on the individual responsibilities and the specific procedures that should be followed.

Any bulk data transfers are subject to formal approval before release and are done using only secure and approved communication channels.

Only data captured is to be able to set up profiles for users and drivers and tracking data is taken from customer equipment. Driver name and performance can be used in the Microlise driver of the year award (customer can choose to opt out).

Yes. Full details of the policies and procedures can be provided upon request.

Yes, there is a Data Protection Lead appointed within Information Security Department. DPO is provided by a third party.
You can reach the information, and data protection contacts via email at informationsecurity@microlise.com.

Yes. Depending on the contract with the client and the services being provided, PII (Personally Identifiable Information) involved may include:

• Driver name/ID (as supplied by the client)
• Geolocation of driver, and/or
• Geolocation and information relating to other individuals (if supplied by the client).
• Driver contact details (Phone number, email address)
• Client customer details (Name/ID, address, phone number, email address)

PI (Personal Information) & PII are only collected, stored, and processed where they are provided by the client and the client has expressly requested the use of such information.

Microlise does not collect, process, or store Payment Card Information (PCI).

Yes. Each customer has their own secure database instance, as well as a separate front end and middleware using virtualisation to provide the separation.

Yes. Microlise has a policy that complies with our legal requirements. Microlise conducts DBS checks on all employees prior to commencement of employment, and where employees are granted privileged access, Microlise will establish additional trustworthiness, e.g., through the length of service, risk assessment or managerial sign-off.

For employees working on relevant contracts, BPSS is also used, and a number of those employees also hold SC.

Yes. Microlise has a formal process, which is regularly reviewed and communicated to employees.

Yes. Microlise defines minimum skillsets for specific roles and have a continuous education process in place to ensure that our employees meet or exceed these requirements.

Yes. All staff are required to undergo mandatory Information Security and GDPR/Data Protection training every 2 years, along with a full awareness program that is administered throughout the year.

Yes. All assets are required to be returned and the employee loses their access to all Microlise systems upon the termination of their employment.

Customer data is stored in the secure space at Microlise’s two UK-based data centres which can only be physically accessed by authorised personnel.

Our contract with our data centre provider includes secure dedicated suite space, power, cooling, IP internet connectivity, DC – DC connectivity and remote hands/eyes support as well as protection against fire and flood.
Tests on the physical security features are conducted in line with Tier 3/4 data centre requirements.
Microlise own and operate all the active hardware within the data centres.
Certificates of compliance for Microlise’s data centres can be provided on request.

Microlise’s on-site technical facilities are restricted to a similar standard with restricted access card keys, round the clock monitoring and air cooling/fire suppression/flood prevention. Further details of Microlise’s on-site security measures can be provided upon request.

Yes. Microlise has a policy for the secure disposal of documents and devices which applies to both in the office and working remotely.

Microlise holds Public & Products Liability Insurance.

Yes. These are formalised in accordance with and form part of corporate policy, and the criteria for performing information security risk assessments. Acceptable levels of risk are also defined and documented.

Yes. Microlise also manages risks to legacy systems, where possible isolating these systems, and/or providing additional protective controls and monitoring until they can be updated/replaced.

Yes. Microlise has a verified understanding of the size and topology of our corporate networks. We have a register of all assets that is regularly reviewed.

Yes. Microlise assesses the risks of the use of removable media and are managing it with a policy that is documented and maintained.

Yes. All devices within Microlise’s network have antivirus and antimalware technologies installed and these are regularly updated and patched.

Yes. Firewalls are regularly monitored for any suspicious activity to further mitigate risks posed by outsider threats.

Yes. IPS/IDS modules are installed to enterprise firewalls and our external F5 Silverline WAF, and we block known suspicious network behaviour and direct all outgoing traffic through an authenticated proxy server.

Yes. We routinely patch workstations and laptops; critical server patches are applied to mitigate vulnerability as required to counter the risk.

Yes. Microlise has a verified back up process.
The backups are encrypted, stored offsite & tested every 4 weeks.
The encryption keys are not rotated.

Yes. Microlise has a policy, and we maintain a list of software that is authorised for use.

Yes. Microlise has formal access and handling – storage, transmission, transportation, retention, and disposal – procedures based on our classification scheme, and a policy that is documented and maintained.

Yes. Microlise has an access control policy which covers how we establish appropriate user access rights, to ensure that users only have access to information necessary for them to perform their role. Access rights are granted on a ‘least privilege’ basis and all users are provided with a unique log-in ID when accessing data.

Role based access is applied in customer https portals which is set via configuration and managed by the customer.

Yes. Microlise identify such information and apply a formal classification scheme in accordance with our policies or regulatory requirements and communicate this to all staff to ensure they clearly understand the scheme and their responsibilities for ensuring it affords appropriate protection to sensitive information.

Yes. SysAdmin privileges are controlled via IPSec VPN to HQ, then secure tunnels to the data centres.

Yes. Logs are kept for up to 90 days and a log correlation tool is used. A SIEM (Security Information and Event Management) solution is not currently in place but is planned for implementation in 2023. Alerts are monitored by ServiceDesk, TechOps & SRE, with critical alerts monitored 24/7. No other logging is used to identify IOC.

Yes. The VPN does not require two-factor authentication (2FA) but the devices themselves require 2FA before the VPN can be accessed.

Yes. Data centres have no Wi-Fi access. For Microlise business employees, Wi-Fi access is controlled by Business Systems Team.

Yes. Microlise has a policy and require confirmation before granting access.

Yes. MFA protocol is in place.

Yes. Microlise actively control user access to user accounts through a corporate-wide, technically enforced mechanism such as the use of a mandatory password complexity algorithm, with managers actively matching staff with existing accounts. We monitor compliance to acceptable use policies and procedures through technical controls.

Yes. Microlise control access to our networks and systems by ensuring that those approved to connect do so using approved mechanisms and devices. We actively confirm right to access, verify end point security, and identify before connection is completed.

System access is managed on a ‘least privileged’ basis for Microlise employees i.e., Access is managed based on role within the organisation. System monitoring is in place across the Microlise systems. Logs are held for a period of 12 months.
Front end log in activity is captured in audit tables and database access logs are obtainable from the DBA’s. There are several logs in place that record session and user activity within the Web Application. Some web activity logs are held for 60 days, others within the retention period of the database (typically 90 days) or available from database backups if older than 90 days. We have several audit tables / columns in our databases for when things are changed, where the last timestamp and user will be recorded if a change to data is made directly. We also only allow edit access to database to a limited number of internal users. This is managed via Active Directory. Worth noting all data is stored in the Data Centres.

Yes. Formal process in place utilising Service Now application. Further details on the process can be provided on request.

Yes, Microlise has a documented and maintained policy that considers as a minimum the following areas: information risk management regime, network security, user education and awareness, malware prevention, removable media controls, secure configuration, managing user privileges, incident management, monitoring, and home and mobile working (and physical security).

Yes. In the general terms and conditions of employment and/or corporate policy. (For the avoidance of doubt this should cover full-time employees, contractors, and agency staff).

Yes. Roles and responsibilities have been assigned and are formalised in accordance with and form part of corporate policy.

Yes. Further details on any specific policies can be provided on request.

Yes. Microlise has an inventory of our organisation’s assets and ensure that all information-related assets have a defined owner who ensures that, where appropriate, assets have rules for their acceptable use.

Yes. The Information Security Department can be reached at informationsecurity@microlise.com.

Yes. In addition, we ensure that password files can only be accessed by administrators with the business need and permissions to do so.

Yes. Further details on this policy can be provided on request.

Yes. Customer passwords are configured within the HTTPS secure portal.

For Microlise employees, there is a policy and process in place. Further details of the policy can be provided on request.

TMC is configurable and supports federated SSO to allow the customer to tie in with their identity provider.

Yes. It ensures that all relevant ‘cyber standards’ required through contracts or regulation are flowed down. We also have additional requirements that are flowed down as required.

Microlise does not currently use sub-processors.

User authentication takes place in the application itself against a local user store.

If a customer is on the Microlise Identity Provider platform, then Single Sign On (SSO) integration with their preferred identity provider can be implemented.

The level of access of individual users at the customer end is controlled by the customer. There are options for varied levels of access, depending on requirement.

Yes. The Microlise Identity Provider platform supports SAML 2.0

Our Federated Identity Management Integration Guide states our current capability in this area.