Title Technical and Organizational Data Security Measures STATEMENT (TOMS) ✅

PUBLIC Technical and Organizational Data Security Measures STATEMENT Revision History 3 Important Disclaimer 3 Introduction 4 Permitted Use 4 Questions or Feedback 4 Common Security Measures & Controls 4 Geotab Employee Policies 4 Segregation of Duties 5 Data Centers, Technology Service Providers 5 Public Cloud Security 5 Access Control of Processing Areas 6 Access Control to Data Processing Systems 6 Access Control to Use Specific Areas of Data Processing Systems 6 Data Transmission Control 7 Access Monitoring 7 Systems Monitoring 7 Penetration Testing / Vulnerability Scans 8 Audits 8 Security Incidents 8 Responsible Disclosure 8 Business Continuity 9 Special Interest Group Memberships and Subscriptions 9 Contact Geotab 10 Resources 10 Appendix 1: MyGeotab & GO Device Security 12 Geotab GO Device Data Security 12 MyGeotab System Security Measures 12 Data Transmission 12 System Access 12 Input Control 13 Separation of Processing for Different Purposes 13 General Concerns 14 Customer Data Residency 14 Data Availability & Backups 14 Data Retention, Correction and Deletion 15 Copyright © Geotab Inc. 2024 - All Rights Reserved | www.geotab.com ® denotes a trademark of Geotab Inc., which may be registered in certain countries Disclaimer: this is a dynamic document intended to be viewed in Google Docs. Any copy, download, or static version of this document is not valid. For the official version of the TOMS, always visit www.geotab.com/security 1
PUBLIC Data Retention 15 Data Correction & Deletion Options 15 Data Purge Approach 15 Data Aggregation and Enhancement 15 Architecture Diagram 16 Appendix 2: iGestion and uReaderGPS Security Measures 17 Executive Summary 17 uReaderGPS Device Data Security 17 iGestion System Security Measures 17 Data Transmission 17 System Access 18 Input Control 18 Separation of Processing for Different Purposes 18 General Concerns 19 Customer Data Residency (Telematics, Telematics-related and User data) 19 Data Availability & Backups 19 Data Retention, Correction and Deletion 20 Data Retention 20 Data Correction & Deletion Options 20 Data Purge Approach 20 Intendia Specific Business Continuity 20 Data Aggregation and Enhancement 20 Architecture Diagram 21 Appendix 3: Lat-Lon System Security Measures 22 Executive Summary 22 Lat-Lon Product System Security Measures 22 Data Transmission 22 System Access Control 22 Input Control/Input Validation 23 Separation/Segregation of Processing for Different Purposes 23 General Concerns 23 Customer Data Residency 23 Customer Data Storage Media & Location 23 Customer Data Wipe Out Approach 24 Data Availability & Backups 24 Data Retention, Correction and Deletion 24 Data Retention 24 Data Correction & Deletion Options 24 Data Purge Approach 24 Architecture Diagram 24 Copyright © Geotab Inc. 2024 - All Rights Reserved | www.geotab.com ® denotes a trademark of Geotab Inc., which may be registered in certain countries Disclaimer: this is a dynamic document intended to be viewed in Google Docs. Any copy, download, or static version of this document is not valid. For the official version of the TOMS, always visit www.geotab.com/security 2
PUBLIC Revision History Version Date Editor Changes Approved By 6.9 2018-05-01 Alan Cawse Added Revision History Alan Cawse 7.0 2019-01-29 Alan Cawse Minor program adjustments Alan Cawse 7.1 2019-03-12 Geotab Security Formatting Updates Alan Cawse 7.2 2019-11-11 Matt Broughall Updated Purge Policy Alan Cawse 7.3 2020-09-01 Ryan Brander Updated to include Linux Servers Alan Cawse 7.4 2020-11-25 Ryan Brander Updated Resources to reflect ISO, FedRAMP, and FIPS. Alan Cawse 8.0 2021-12-20 David Cai Srishti Solanki David Lambert Major version upgrade to include general security measures as well as security controls for specific products including Intendia and Lat-lon products Alan Cawse 8.1 2022-04-12 Srishti Solanki Pentest language change for Go devices Alan Cawse 8.2 2022-08-19 Mark Valerio Updated email to request PDF copy Alan Cawse 8.3 2023-01-23 Naveen Pillai Included the Cyber Essentials certificate to the resources section Alan Cawse 8.4 2023-03-15 Neeraj Sharma Added Contact Geotab section and approved changes to Lat-Lon section in Appendix 3. Alan Cawse 8.5 2023-05-10 Neeraj Sharma Updated Lat-Lon sections in Appendix 3 to reflect changes suggested by legal. Alan Cawse 8.6 2023-07-14 Hari Krishnan Updated the encryption standard to AES-128 under Data Transmission section in Appendix 3: Lat-Lon System Security Measures as confirmed by AVP, Engineering Alan Cawse Important Disclaimer This Statement is subject to change and be updated on a regular basis. By itself, this Statement does not create binding obligations or liability towards Geotab or Geotab's resellers, end users or any other party. For further information on the purpose of this document, see the Introduction. This document is not intended to be distributed in any format other than a live version accessible via Google Docs. The live version is always available at https://www.geotab.com/security/. To request a copy in PDF format, please email [email protected]. All copies will be marked with a specific expiry date. All readers are encouraged to visit this live document from time to time. Copyright © Geotab Inc. 2024 - All Rights Reserved | www.geotab.com ® denotes a trademark of Geotab Inc., which may be registered in certain countries Disclaimer: this is a dynamic document intended to be viewed in Google Docs. Any copy, download, or static version of this document is not valid. For the official version of the TOMS, always visit www.geotab.com/security 3
PUBLIC Introduction This Geotab Technical and Organizational Data Security Measures Statement (referred to as “TOMS”) provides an overview of the technical and organizational data security measures that Geotab Inc. (“Geotab” or “we”) has implemented as our standard approach. By itself, this statement shall not create any rights or entitlements for anyone. If Geotab and its customers incorporate this statement by reference into a contract, then the parties’ rights and obligations shall be determined based on such contract. Security measures for specific Geotab products are outlined in the Appendix sections. Permitted Use This document may only be used for a customer’s internal purposes in connection with the specific Geotab products and services. This document undergoes frequent updates. This statement cannot be copied or duplicated without the express written permission from Geotab. Questions or Feedback Please direct your questions, feedback or any other information to [email protected]. Common Security Measures & Controls The security measures and controls described in this section follow the Geotab standard approach horizontally for all Geotab products and services, unless specifically outlined in the Appendix sections. Geotab Employee Policies Geotab implements measures and policies to ensure that all Geotab personnel are trained and fully aware of all security and privacy-related policies; and that only specific persons have access to specific areas within the network and systems. To accomplish this: ● Geotab employees are granted very limited credentials, and are only assigned additional credentials, when required, upon review and training, ● All Geotab employee passwords are required to be at least 12-character long, contain at least one number, one uppercase letter, one non-alphanumeric character; and must not contain commonly used words / usernames, ● Only authorized Geotab employees have the ability to gain access to secure areas within the MyGeotab system, ● Any unused or inactive user credentials are automatically disabled after 90 days, ● All Geotab employees undergo fully approved and government-sanctioned background checks, ● All Geotab employees undergo regular security awareness training, ● All access rights follow the principle of least privilege, ● All access requests have to undergo a multifactor authentication process, to ensure that the credentials have not been compromised, Copyright © Geotab Inc. 2024 - All Rights Reserved | www.geotab.com ® denotes a trademark of Geotab Inc., which may be registered in certain countries Disclaimer: this is a dynamic document intended to be viewed in Google Docs. Any copy, download, or static version of this document is not valid. For the official version of the TOMS, always visit www.geotab.com/security 4