Trust is our foundation

ISO/IEC & SOC Certifications 

PTV is certified to ISO/IEC 27001:2022, reflecting our commitment to a robust Information Security Management System (ISMS). This assures customers that we proactively manage security risks and follow best practices to protect sensitive data and business processes. Econolite holds SOC 2 Type II and SOC 3 certifications, underscoring our dedication to secure, transparent, and resilient mobility solutions. Hosting is region-specific: EU hosting for EEA customers and US hosting for US customers.

ESG (Environmental, Social, and Governance) 

We integrate ESG principles into our corporate governance framework, ensuring that our security and privacy practices align with broader commitments to ethical business conduct, sustainability, and social responsibility. 

Third-Party Audit Reports 

Umovity engages independent security experts to conduct regular penetration tests and security assessments as part of its ongoing commitment to identify and mitigate vulnerabilities in our products and infrastructure. Summaries of these third-party audits may be available to customers upon request with adequate confidentiality assurances.

Data Protection

We act as a responsible data processor and controller, ensuring personal data is handled lawfully, transparently, and securely. PTV and Econolite have entered into a joint responsibility agreement that includes the standard contractual clauses (SCC) provided by the EU to ensure an adequate level of data protection between the companies. For PTV Group’s Data Privacy Statements, please see PTV Group Legal Documents. For Econolite Group’s Data Privacy Statement, please see Privacy Policy - Econolite.

Country of data processing

For cloud-hosted services, Umovity leverages Azure environments that comply with ISO 27001 and SOC2 standards. For customers within the European Economic Area (EEA), our cloud services are hosted within the European Union. For customers based in the United States, our cloud services are hosted within the USA.

Privacy by Design and by Default

We integrate privacy considerations into every stage of product development and business processes. Default configurations prioritize data protection by minimizing data collection of personally identifiable information and providing users with clear, accessible privacy controls.

Data Processing Agreement

To support our customers in meeting their data protection obligations, PTV and Econolite offer a Data Processing Agreement (DPA), if required.

Code of Conduct

Umovity maintains a strict Code of Conduct that governs ethical behavior and compliance with laws and regulations by all employees, contractors, and partners. This code supports a culture of integrity and accountability.

Speaking up

Umovity adheres to strict ethical standards, ensuring transparency, accountability, and compliance with all applicable laws. Legal breaches and mishandling of whistleblowing reports are not tolerated. Business partners can report potential violations anonymously via the Speaking Up service at PTV and Econolite, which enables anonymous reporting and communication.

Supplier and Third-Party Risk Management

Umovity expects suppliers and third parties to meet applicable legal and regulatory requirements. A rigorous third-party risk management program is in place to assess risks prior to onboarding and on an ongoing basis.

Data Classification and Handling

We follow a data classification framework to identify and manage information according to its sensitivity and business impact. Data is categorized (e.g., public, internal, confidential) and handled with appropriate controls to ensure its protection throughout its lifecycle.

Encryption in Transit (TLS 1.2/1.3, HTTPS)

Data transmitted between systems, users, and our services is secured using strong encryption protocols, including TLS 1.2/1.3 and HTTPS. This ensures the confidentiality and integrity of information as it moves across networks.

Secure Backup and Data Recovery

We maintain encrypted backups of critical data, stored in geographically diverse locations. Regular testing of backup and recovery procedures ensures data availability and integrity in the event of accidental loss or disaster.

Data Isolation

Data belonging to different customers or business units is logically separated within our systems. This isolation prevents unauthorized access and ensures that each customer’s data remains private and secure.

Encryption at Rest (AES-256, Disk Encryption)

All sensitive data is encrypted at rest using industry-standard algorithms such as AES-256. Disk-level encryption is enforced across our infrastructure, ensuring that stored information remains protected against unauthorized access.

Secure Key Storage and Rotation

Encryption keys are managed using dedicated key management systems, with strict access controls and regular rotation policies. Keys are stored securely, and their lifecycle is governed by best practices to minimize risk.

Data Retention and Deletion Policies 

Clear data retention policies define how long information is stored and when it is securely deleted. Automated processes ensure timely removal of data that is no longer required, in compliance with legal and contractual obligations.

Security Governance

Our security governance framework establishes clear roles, responsibilities, and oversight for information security. A dedicated team oversees policy development, risk management, and compliance activities, ensuring alignment with organizational objectives.

Security Awareness Training for Employees

All employees receive mandatory security awareness training tailored to their roles. Training covers topics such as phishing, social engineering, and secure data handling, empowering staff to recognize and respond to security risks.

Security Policies and Procedures

A comprehensive set of security policies and procedures guides all aspects of our operations. These documents are regularly reviewed and updated to reflect evolving threats, regulatory requirements, and industry best practices.

Security Incident Management

We maintain a robust incident management process to detect, respond to, and recover from security events. Incidents are thoroughly investigated, and lessons learned are used to strengthen our defences and prevent recurrence.

Security Culture

We foster a strong security culture through ongoing education, leadership commitment, and employee engagement. Security is integrated into our daily operations, encouraging proactive risk management and responsible behavior at all levels.

Business Continuity Management

Our business continuity program ensures that critical operations can continue during and after disruptive events. Plans are regularly tested and updated, covering disaster recovery, crisis communication, and resource availability.

Security Risk Assessments

Regular risk assessments are conducted to identify and evaluate potential threats to our information assets. Findings drive the implementation of targeted controls and continuous improvement of our security posture.

Secure Software Development Lifecycle (SDLC) 

Security is embedded throughout our SDLC, from initial design to deployment and maintenance. We apply secure coding standards, conduct regular reviews, and integrate security testing into every development phase.

Code Review and Static Code Analysis

All code undergoes rigorous review and static analysis to identify vulnerabilities and ensure adherence to security standards. Automated tools and peer reviews help maintain code quality and reduce risk.

Penetration Testing

Regular penetration tests are conducted by independent experts to identify and address vulnerabilities in our applications and infrastructure. Findings are prioritized and remediated promptly to maintain a strong security posture.

Patch and Vulnerability Management

Critical systems are regularly updated with security patches to address emerging threats. Our patch management process ensures that vulnerabilities are promptly identified and resolved, minimizing exposure to potential attacks.

Threat Modeling

Threat modeling is performed during the design phase to anticipate potential attack vectors and implement effective countermeasures. This proactive approach helps us build resilient systems from the ground up.

Vulnerability Management and Remediation

We operate a continuous vulnerability management program, leveraging automated scanning and manual assessments. Identified issues are tracked.

High Availability and Redundancy

Our infrastructure is designed for high availability, leveraging redundant systems and failover mechanisms to minimize downtime. Continuous monitoring and automated recovery processes ensure that our services remain accessible and reliable, even during unexpected events.

System Hardening and Baseline Configuration

We apply rigorous system hardening measures to all infrastructure components, removing unnecessary services, and applying secure configuration baselines. Regular reviews and automated compliance checks ensure that systems remain resilient against emerging threats and adhere to industry best practices.

Endpoint Protection and Antivirus

All endpoints are protected by advanced security solutions, including antivirus, anti-malware, and endpoint detection and response (EDR) tools. Regular updates and real-time monitoring help prevent, detect, and respond to threats targeting user devices and servers.

Backup and Disaster Recovery Planning

Robust backup strategies are in place to safeguard critical data, with encrypted backups stored in geographically diverse locations. Our disaster recovery plans are regularly tested to ensure rapid restoration of services and data integrity in the event of system failures or disasters.

Security Policies and Procedures

A comprehensive suite of security policies and procedures governs all aspects of our operations. These documents are regularly reviewed and updated to reflect changes in the threat landscape, regulatory requirements, and organizational priorities.

Incident Response Policy

A formal Incident Response Policy defines the procedures for detecting, reporting, and responding to security incidents. The policy ensures a coordinated and effective response to minimize impact and support continuous improvement.

Least Privilege Principle

Access to systems and data is granted strictly on a need-to-know basis. The least privilege principle is enforced across all roles and environments, minimizing the potential impact of compromised accounts or insider threats.

Acceptable Use Policy

Our Acceptable Use Policy outlines the appropriate and prohibited uses of company resources, ensuring that all users understand their responsibilities and the consequences of policy violations.

Whistleblower Policy

We foster a culture of transparency and accountability through our Whistleblower Policy, which provides secure and confidential channels for reporting unethical or illegal activities without fear of retaliation.

Password Policies and Management

We enforce strong password policies, including complexity requirements, regular rotation, and secure storage. Password management tools and multi-factor authentication are used to further strengthen account security and reduce the risk of unauthorized access.

Identity Lifecycle Management 

We maintain strict controls over the entire identity lifecycle, from onboarding to offboarding. Automated processes ensure timely provisioning and deprovisioning of access, reducing the risk of orphaned accounts and unauthorized access.

Segregation of Duties

Critical functions are separated among different individuals or teams to prevent conflicts of interest and reduce the risk of fraud or error. Segregation of duties is enforced through technical controls and regular audits.

Periodic Access Reviews

Regular access reviews are conducted to validate that permissions remain appropriate for each user’s role. Any unnecessary or excessive privileges are promptly revoked, ensuring continuous alignment with security and compliance requirements.