How we protect vehicle data, manage access, and meet the requirements of European regulators and government data providers.
All processing and storage happens within the EU/EEA. No consumer-grade clouds.
Access granted only where required, reviewed periodically, and removed when no longer needed.
Devices use encrypted storage. Multi-factor authentication on systems handling restricted data.
Data from authorities is used strictly within agreed boundaries and never transferred outside permitted environments.
This page summarises Good2Know's principles for governance, security, and privacy. It applies to all employees, contractors, and systems involved in handling vehicle data, including data provided by government authorities. The full internal policy is available to enterprise customers and government partners on request.
Good2Know maintains a company-wide data protection policy that sets expectations for lawful, fair, and transparent processing of personal data, in line with the GDPR and applicable national legislation. Responsibilities, controls, and the framework for handling personal data are defined and reviewed.
Our information security policy establishes the principles for protecting information assets: confidentiality, integrity, and availability. It defines the baseline expectations that govern how systems, data, and resources are safeguarded.
We follow a unified approach to security and privacy risk. Risks are identified and assessed at a principle-based level, with proportionate measures taken to address them. Risk evaluation is part of planning and operations, not an afterthought.
Good2Know maintains principles describing when a Data Protection Impact Assessment or Transfer Impact Assessment is required. These ensure that GDPR obligations are evaluated whenever processing involves elevated risk or international transfers.
Processing activities are documented and kept up to date. Our Records of Processing Activities (ROPA) is maintained separately, with principles in place to ensure accuracy and ongoing compliance.
Data provided by Traficom and other government authorities is handled strictly within the boundaries set by applicable agreements and legislation. Specifically:
Access is granted on a least-privilege basis. Rights are assigned to individuals whose tasks require them, reviewed periodically, and revoked when no longer needed. Multi-factor authentication is required where appropriate, particularly for systems processing sensitive or restricted data.
Cloud services used by Good2Know operate within the EU/EEA and meet business-grade security requirements. We do not use consumer-grade cloud services for any restricted or government-provided data. All cloud environments operate under our access control, logging, and device governance expectations.
Activity in systems that process restricted data is logged. Logs include the information necessary to fulfil their purpose (timestamps, search parameters, actor identifiers) and exclude response payloads. Logs are:
Information security incidents — including any related to restricted or government-provided data — are logged and addressed in a timely manner. Where applicable, external reporting obligations are acknowledged and met in line with relevant requirements.
Removable media is checked for threats before use, and automatic execution of content from removable media is not permitted.
Data is retained only as long as necessary for its purpose and deleted once that purpose has concluded. Retention principles apply to all data categories handled by Good2Know.
Programmatic access to Good2Know systems is governed by:
Only providers offering EU/EEA hosting, organisational-grade controls, and contractual security commitments may process restricted or government-provided data on our behalf. Supplier compliance is reviewed periodically. Onward transfer of data is prohibited unless explicitly permitted.
Backups are maintained as appropriate, and systems are designed to support recovery in the event of disruption. Our resilience principles set expectations for availability, integrity, and preservation of data during disruptions.
Compliance with applicable requirements is monitored on a periodic, risk-based basis, in alignment with our internal governance expectations.
This policy is maintained, reviewed, and updated in alignment with organisational requirements. It remains valid until superseded by a formally approved version. The full internal policy, including detailed control descriptions, is available to enterprise customers and government data partners under appropriate confidentiality terms.
Enterprise customers, government data providers, and integration partners can request our full Governance, Security & Privacy Policy, alongside DPA and supporting documentation.
Contact us