Built Secure, Certified, Trusted: Proemion’s Security Framework

Proemion’s telematics solutions are engineered with security at the core. Over the past decade, we have continuously advanced our security posture, from early measures like hardware Trusted Platform Modules (TPMs) and TLS encryption in 2016 to today’s comprehensive security program led by a dedicated Cyber Security team. In 2026, Proemion received ISO/IEC 27001:2022 certification, confirming that our information security management system (ISMS) meets strict international standards. This whitepaper outlines how Proemion protects devices, data, and cloud services through robust security architecture and practices.

We integrate security at every phase of the product lifecycle, employ strong cryptography to safeguard data, and ensure the integrity of our device firmware and cloud infrastructure. Highlights of our approach include: secure development practices with code review and testing, hardware-backed device identity and secure boot, cloud infrastructure hardened to industry best practices, continuous vulnerability management (with minimal issues ever found in audits), stringent oversight of third-party vendors, comprehensive physical and personnel security controls, and business continuity plans aligned with ISO 22301 for resilience. Throughout this document, we map these practices to relevant ISO 27001:2022 Annex A control objectives in a digestible way, demonstrating Proemion’s commitment to both technical excellence and compliance.

Proemion follows a Secure Development Lifecycle (SDLC) to ensure that security is built into our products from the ground up. Every step of designing, building, and deploying our telematics hardware and software includes security checkpoints. We balance a strong security engineering culture with modern development agility, so new features reach customers quickly and safely. Key elements of our SDLC include:

All engineers receive role-appropriate secure development training to stay current on threats and best practices. All developers complete mandatory secure coding training and are encouraged to participate; time is provided. Regular security awareness sessions ensure the team is vigilant about emerging vulnerabilities.

We have comprehensive coding standards that go beyond the OWASP Top 10 to cover a broad range of secure coding guidelines. These standards (aligned with ISO 27001’s secure development control) are built into our development process – code cannot be merged and released unless it is compliant. Automated security-focused static analysis and manual code reviews enforce these rules, preventing common weaknesses from ever entering our codebase.

We maintain a strict peer review process for all code changes. Experienced engineers (“gatekeepers”) conduct security-focused code reviews on every change, verifying adherence to our secure coding standards and identifying potential vulnerabilities. This four-eyes principle ensures that security isn’t the responsibility of a single person but a shared mindset across the development team.

Our software supply chain is closely monitored. We use trusted sources for third-party libraries and continuously monitor open-source components for vulnerabilities. For example, our source control platform automatically alerts us to known vulnerabilities in dependencies, and we act promptly on them based on severity. We also review the code of new third-party modules before use, assess their security, and integrate them only after they meet our criteria.

Security is part of our "definition of done" for every feature. We integrate unit and security test cases into the continuous integration pipeline. When a bug or vulnerability is fixed, we add regression tests to prevent recurrence. We also test our applications at various stages of the development process, including extensive automated tests during the build and staging environments, as well as manual tests.

Deployments are handled through code and automation to eliminate human error and enforce consistency. We deploy our applications into hardened environments configured via Infrastructure-as-Code and security baseline modules. Each environment (staging, production) is provisioned with secure configurations (e.g., least-privilege access, hardened OS settings) that adhere to industry best practices. All changes to cloud infrastructure or device firmware undergo change management review, and our automated pipelines include security checks before promotion to production.

Through these SDLC measures, Proemion ensures that security is not an afterthought but an integral part of product innovation. Our approach aligns with ISO 27001:2022 Annex A recommendations on secure development (e.g., control 8.28 Secure coding) and change management, translating high-level standards into concrete daily practices.

Protecting data – both our customers’ and our own – is paramount. Proemion implements multiple layers of data protection, from encryption and key management to data governance processes, to ensure the confidentiality, integrity, and availability of information. We design our systems under the principle that sensitive data must be protected by default, whether at rest, in transit, or in use. Highlights of our data protection and cryptography practices include:

All communications between devices, cloud services, and user interfaces are encrypted using strong protocols (TLS 1.2+). Our device connectivity, for instance, uses TLS 1.2 with robust cipher suites to secure telemetry over the air. This ensures that data transmitted between a Proemion Communication Unit (device) and our backend cannot be eavesdropped or tampered with. We routinely review our TLS configurations against industry benchmarks (such as SSL Labs) and have achieved “A+” grades for our endpoints, reflecting a high standard of transport security.

Data stored in our cloud databases and endpoints is encrypted at rest to prevent exposure in the event of physical loss or unauthorized access. Our cloud databases, file storage, and backups utilize AES-256 encryption, with keys managed by hardened key management services. Laptops and mobile devices used by Proemion personnel have full-disk encryption enabled. We follow industry guidelines (including NIST SP 800-57) for cryptographic key strength and rotation frequencies. For example, customer data at rest is protected with AES-256 or later versions, and encryption keys are rotated regularly. Passwords are never stored in plaintext; we use strong one-way hashing in accordance with our cryptography policy.

Cryptographic keys and secrets are handled with great care. Private keys (for servers, devices, code signing, etc.) are stored in secure vaults or hardware security modules, with strict access controls (limited to authorized personnel and requiring multi-factor authentication). Access to keys is granted on a least-privilege basis in line with our Access Control Policy. For especially critical keys, such as offline keys used to sign device firmware, we use a split knowledge and dual control process (see Device and Firmware Security for details). All key usage is logged and monitored to detect any unauthorized access. We also ensure secure key generation with high-quality random number generators and never hard-code secrets in code or firmware.

We categorize data (e.g., Public, Internal, Confidential) and apply controls appropriate to each classification. Personal data and other confidential information are handled in compliance with GDPR and other relevant privacy regulations. We minimize the collection of personal data in our telematics platform; when such data is necessary (for example, user account details), we pseudonymize or anonymize it where feasible. Internally, employees are trained on proper data handling – for instance, not to transfer sensitive data over insecure channels and to use company-approved encrypted storage for confidential files.

In line with the “data protection by design” ethos, we retain data only as long as needed to fulfil its purpose or meet legal requirements. We have processes to securely dispose of or anonymize data that is no longer required. All storage media that hold confidential data are securely erased or destroyed before decommissioning. We follow a documented data retention schedule, and our Data Management Policy ensures we meet both business needs and compliance obligations.

Proemion’s approach to data protection marries strong cryptographic controls with smart data management. By using state-of-the-art encryption and disciplined data handling practices, we ensure that sensitive information remains confidential and intact throughout its lifecycle. These measures align with ISO 27001:2022’s controls on encryption, access control, and data masking, providing assurance that data is always safe from unauthorized access.

Proemion’s cloud infrastructure is the backbone of our global connectivity platform, and we secure it using a defense-in-depth strategy. We leverage Amazon Web Services (AWS) as our primary cloud provider and adhere closely to AWS’s security best practices. Our approach can be summarized as secure by design and monitored continuously. Key aspects of our cloud infrastructure security and operations include:

We design our cloud systems in line with the AWS Shared Responsibility Model and the AWS Well-Architected Framework. This means we clearly delineate which security controls AWS manages (e.g., physical data center security and underlying hardware) and which we manage (e.g., everything from the operating system up) for production workloads, separating them from development and testing environments. Our cloud environment is segmented into multiple virtual networks (VPCs) and accounts to isolate within production, and we further segregate services by function and sensitivity. Network security groups and firewalls enforce the principle of least privilege: services communicate only on required ports/protocols. We also implement AWS’s recommended protective services, such as Web Application Firewalls (AWS WAF) for our web services, and AWS Shield for DDoS protection on public endpoints.

All servers (whether EC2 instances, containers, or serverless functions) are launched from hardened images and configurations. We regularly update base images and automate the application of secure settings (e.g., disabling unused ports and enforcing CIS benchmark configurations). Cloud services like databases, caches, and storage buckets are configured with security in mind: encryption at rest enabled, strict access policies, and no public access unless absolutely necessary. Administrative access to cloud systems requires multi-factor authentication (MFA) and is tightly controlled via AWS Identity and Access Management (IAM) roles. We also utilize automated configuration scanning tools to detect misconfigurations or drifts from our security baseline, aligning with ISO controls for secure configuration management.

We maintain strict control over access to cloud resources. Every user and service in our cloud environment operates under a dedicated identity with tailored permissions. We avoid long-lived static credentials by using IAM roles and temporary tokens wherever possible. Multi-factor authentication is mandatory for all console and VPN access. Administrative actions in cloud accounts are limited to a small number of engineers, and all access is logged. We periodically review and right-size permissions to ensure no user or system has more access than required (supporting least privilege and ISO Annex A identity management controls).

Our cloud platform is continuously monitored. We aggregate logs from all critical systems – including audit logs, network flow logs, OS logs, and application logs – into a centralized Security Information and Event Management (SIEM) system. Security-relevant events (e.g., authentication failures, configuration changes, anomalous network traffic) trigger alerts for our security team to investigate. We use AWS CloudTrail and AWS Config to record and assess actions in our environment. Additionally, we employ intrusion detection and file integrity monitoring on key systems to catch any signs of compromise. Our operations team also integrates threat intelligence feeds, so we’re aware of emerging threats (such as zero-day vulnerabilities or active cyberattacks) and can proactively strengthen defenses or apply patches, in line with Annex A’s new control on threat intelligence.

High availability and continuity are built into our cloud architecture. We deploy critical services across multiple availability zones to withstand data center outages. Data is regularly backed up (encrypted) to guard against catastrophic failures in the cloud region. We periodically perform recovery drills to validate that backups can be restored and systems rebuilt within our Recovery Time Objectives. In the event of any service disruption, our incident response and operations teams have playbooks to quickly mitigate impact and keep customers informed. (Business continuity is discussed more in a later section, but it’s worth noting that our cloud setup is designed to be resilient by default.)

Our cloud operations follow a DevSecOps model, where security is built into the workflow. Infrastructure changes (such as modifying network rules or deploying a new service) go through code review and automated testing, just like application code. We utilize infrastructure-as-code templates, meaning environment configurations are version-controlled and auditable. Before applying changes, we run automated policy checks (e.g., “does this change open any ports that shouldn’t be open?”, “are encryption settings enabled?”). Only after these checks and approvals pass are changes applied, typically automatically. This reduces the chance of human error causing a security gap and ensures traceability of every infrastructure change.

In summary, our cloud infrastructure is managed with the same rigor as our software: designed securely, configured to least privilege, continuously observed, and improved over time. By following frameworks such as AWS Well-Architected and aligning with ISO 27001’s cloud security guidance, we ensure that our backend systems – and, by extension, our customers’ data and services – are safe in the cloud.

Proemion does not work in isolation – we rely on various third-party providers for infrastructure, components, and services, and we integrate with customer and partner systems. We understand that our security posture is only as strong as the weakest link, so we extend our security diligence to third parties as well. Our third-party security program ensures that suppliers, vendors, and partners meet high security standards and that data shared with them remains protected. Key aspects of our approach include:

We maintain an inventory of our critical suppliers and service providers (cloud hosting, software libraries, manufacturing partners, etc.) and assess their security posture. For each third party that will handle sensitive data or operations, we conduct due diligence during onboarding, which may include reviewing their security certifications (e.g., ISO 27001, SOC 2 reports), regulatory compliance (e.g., GDPR), and their overall reputation. We use a standardized questionnaire based on industry frameworks to evaluate their controls. The risks are documented, and high-risk findings must be mitigated or compensated for before engagement.

Proemion’s supplier agreements include specific provisions for security and data protection. For any vendor with access to our data or systems, we contractually require them to follow appropriate security practices and compliance regimes. For example, cloud and software providers must maintain relevant certifications (such as ISO 27001 or PCI-DSS, if applicable) and notify us of any breaches or changes to their posture. We also include confidentiality and data-handling clauses (often aligned with GDPR and our own privacy standards) to ensure third parties protect data at the same level we do.

Third-party relationships are not “set and forget.” We regularly review the performance and security of key suppliers. This can include reviewing their updated audit reports annually and monitoring their announcements for any incidents or vulnerabilities (for example, if our cloud provider issues a security advisory, we verify that our environment is not affected or apply the necessary patches). For critical vendors, we maintain points of contact and conduct periodic meetings to discuss security matters. We also track when contracts are up for renewal to re-evaluate risk and update terms as needed. New and evolving risks (like supply chain attacks or changes in a vendor’s business) are considered in these reviews.

When we integrate with third-party APIs or hardware (e.g., a customer’s systems or a partner’s platform), we ensure secure interactions. This might involve using VPNs or dedicated secure channels for system integrations, managing API authentication keys with appropriate scopes and rotation, and testing the integration for security gaps. We treat outbound data sharing with the same care as our internal data, ensuring it’s encrypted in transit and limited to the minimum necessary. If a partner requires access to our systems (e.g., for support purposes), we provision dedicated accounts with limited permissions and enable detailed logging of their activities.

Our products inevitably include third-party and open-source components. We carefully select these components, favoring well-maintained and widely trusted libraries. All third-party software and firmware included in our solutions are catalogued. We monitor vulnerability feeds (such as CVE databases) for issues in these components and promptly update or patch them through our patch management process. In addition, our Secure Development Policy includes guidelines for developers to evaluate open-source components (e.g., checking code signing, verifying checksums, and reviewing licenses) before inclusion. By governing what goes into our software, we reduce the risk of hidden vulnerabilities or malicious code from third-party sources.

If a security incident involves or is caused by a third-party service provider, we work closely with that provider to resolve it. Our incident response plan includes contacting the supplier, exchanging necessary information, and ensuring they take proper action on their side. We maintain documentation of third-party contacts for emergencies. Post-incident, we might reassess the supplier’s suitability or demand corrective actions if they fell short of expectations.

Proemion’s commitment to third-party security means our partners and customers can trust not just us, but also the ecosystem around us. We expect our vendors to uphold the same high standards we do, and we verify that through diligent oversight. This approach aligns with ISO 27001:2022 Annex A controls on supplier relationships and supply chain security, helping to ensure that data remains protected even when handled by external parties. Ultimately, security is a shared responsibility, and we take our role seriously by extending our security culture beyond our organizational boundaries.

In the face of unforeseen disruptions – whether natural disasters, cyber incidents, or operational failures – Proemion is prepared to sustain critical services and quickly recover them. Our Business Continuity and Disaster Recovery (BC/DR) plans are designed to minimize downtime and data loss, keeping our customers’ operations running smoothly even in the worst-case scenario. We align our continuity planning with the ISO 27001 Annex A and ISO 22301 standards to ensure best practices. Key elements of our business continuity program include:

Business continuity is managed as an integral part of Proemion’s Information Security Management System (ISMS). We identify critical business functions and the resources required to support them during disruptive events, including telematics cloud services, internal IT systems, and supporting infrastructure. Business Impact Analyses (BIAs) are performed to determine recovery priorities and acceptable downtime for key processes. Continuity strategies, responsibilities, and improvement actions are defined and reviewed through established governance and management processes, ensuring preparedness and continual improvement without reliance on a standalone continuity management structure.

For critical systems, Proemion defines appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) to guide recovery and resilience planning. These objectives establish acceptable service-restoration timelines and data-recovery expectations based on business-impact and risk assessments. Recovery targets are reviewed and approved through established management processes and are designed to meet applicable contractual, regulatory, and operational requirements. Technical and organizational measures are implemented to support these objectives and are periodically reviewed to ensure their continued effectiveness.

We have a documented technical disaster recovery plan that details how to recover each system in various disaster scenarios. For example, if an entire AWS region goes down, we have procedures to launch our services in an alternate region using backed-up data and infrastructure-as-code scripts. If a software deployment severely impacts the system, we can roll back to a known-good state. Our DR plan is regularly tested in parts and as a whole. We conduct drills (at least annually) that simulate a major outage. During these drills, the team practices restoring from backups, switching to redundant systems, and verifying data integrity. Any gaps identified are addressed promptly.

Wherever feasible, we avoid single points of failure. Our key systems run in a redundant configuration – multiple servers, redundant network paths, backup power in offices, etc. We have failover processes for critical components (for instance, if one service fails, a standby can take over). Data is continuously backed up, and backups are stored off-site and encrypted. We also use cloud features, such as database snapshots, to ensure data remains secure even if a single location is compromised. The combination of these measures ensures that many smaller incidents (such as server failures or connectivity loss) are handled transparently, with no downtime.

In the event of a significant disruption, we have a clear chain of command and communication plan. Our Incident Response Team – which includes members from Security, IT, DevOps, and Support – doubles as our emergency response team. They assemble quickly (virtually, if needed) to assess the situation and initiate response actions. We have pre-drafted communication templates to inform customers, partners, and internal stakeholders, ensuring timely and accurate information is disseminated. We prioritize safety (in case of physical incidents) and data protection during any continuity event. Post-incident, we conduct a retrospective to learn and improve (feeding into both our BCMS and our security risk management process).

Business continuity is not a one-time project but an ongoing effort. We update our continuity and recovery plans whenever there are significant changes in our environment – for example, if we adopt a new technology or if our business priorities shift. Regular training on emergency procedures is provided to staff. Our goal is that, if disaster strikes, every team member knows their role and that the recovery steps have been rehearsed. Moreover, by aligning with standards such as ISO 22301, we ensure our approach covers not only IT recovery but also broader business aspects (alternate work locations, communication, etc.).

With robust continuity plans in place, Proemion ensures we can honor our commitments and meet service-level agreements with customers, even under adverse conditions. Whether it’s a localized hardware failure or a widespread crisis, we are prepared to respond and recover rapidly. This resilience is a key part of our promise: we not only secure your data but also ensure the availability of the services you rely on. In combination with our preventive security measures, this makes our overall security posture comprehensive, covering protection, detection, response, and recovery end-to-end.