Our commitment to secure charging transactions

At Road, we are committed to provide the most reliable EV-charging platform available on the market. We recognise you want every charging session to be secure, with accurate billing and complete privacy of your data. Our platform achieves this by combining secure architectural principles, information integrity safeguards, and GDPR-compliant design. Dedicated security controls around physical security, suppliers, employee education and governance further ensure your information is secure across the entire Road organisation.

We've got security covered from every angle

  • DDoS protection
  • Encryption-at-rest
  • Encryption-in-transit
  • Secure development lifecycle
  • Secure integrations
  • Role-based access control
  • SSO support
  • Data back-up
  • Privacy and confidentiality
  • Data erasure
  • Supplier verification and review
  • GDPR compliant sub-processing
  • Endpoint security and anti-malware
  • Employee training
  • Incident management
  • Disaster recovery
  • Regular penetration testing
  • Physical security

Data protection

Platform reliability and performance

Our platform has demonstrated an industry-leading performance with a historical 99.8% uptime, providing confidence that our services are always available when you need them. This is made possible by a combination of threat prevention, monitoring and response procedures.

First, all traffic to our platform and our app is protected by Cloudflare, to defend against Distributed Denial of Service (DDoS) attacks taking services offline. In addition, we have automated monitoring of system performance as well as the charge station network at large. Our 24/7 on-call engineers proactively mitigate any issues before they result in downtime.

Finally, all data on the Road platform is backed up, and we make use of redundant data storage via our cloud infrastructure provider, Google Cloud Platform. We review the health statistics of our back-up on a regular basis. Combined, these measures ensure we always have your back — wherever your journey takes you.

Platform security

DevSecOps

Road practices DevSecOps, a set of practices and principles that integrate security practices into the software development and operations process in a continuous and automated manner. It starts with feature design, where we apply secure engineering and coding principles to every aspect of our platform.

For development, we utilise Integrated Development Environments (IDEs) to minimise vulnerabilities through real-time code analysis, security-focused plug-ins, and standardised coding practices. Our development environment is strictly separated from production to prevent any accidental leaks or breaches. With version control and issue tracking managed through GitHub, we maintain a high level of oversight and accountability.

Additionally, our secure code repositories are fortified against unauthorised access, safeguarding our codebase.

Testing

Testing is an integral part of our development process, featuring automated security tests to identify and address vulnerabilities early. Furthermore, peer review and approval for code changes are mandatory, ensuring that every piece of code is scrutinised for security implications before integration. We employ automation to enforce security practices during code integration, ensuring that security checks are consistently applied to every change. Additionally, all changes are automatically logged, creating a clear audit trail that enhances accountability and traceability.

Vulnerability scanning

We do vulnerability scanning, so that we proactively identify and address security weaknesses in our codebase and dependencies. The comprehensive scanning capabilities we use assess our projects against a vast database of known vulnerabilities, providing actionable insights and recommendations for remediation. This integration allows for continuous monitoring and detection of vulnerabilities within our development process, ensuring that our applications are not only built with the latest security standards in mind, but are also maintained to adapt to new threats as they arise.

Transaction security

Open Charge Point Protocol (OCPP)

To connect our platform to EV charging stations, we utilise OCPP for seamless and secure connectivity. Charge stations can connect using a variety of encryption mechanisms such as TLS 1.3, OCPP 2 security profiles and secure SIM tunnels for legacy hardware.

Google Cloud Platform

We use Google Cloud Platform to host our EV-charging platform and securely store customer data. At rest, your information is encrypted using the AES-256, an encryption algorithm globally recognised for its strength in protecting data against unauthorised access. For data in transit — that is, data being sent to or from the Google Cloud servers — Google uses the encryption protocol Transport Layer Security (TLS) 1.2 or higher, to ensure data remains private. To prevent encryption keys being re-used by an attacker, Google rotates keys at least once a day and expires the keys across all properties every 3 days.

Virtual Private Network (VPN)

We have a secure facility for legacy hardware that does not support OCPP 2 or TLS. For this hardware, we offer a robust solution in the form of a secure Virtual Private Network (VPN) tunnel. The VPN tunnel creates a protected path for data to travel, effectively shielding it from unauthorised access and threats. This solution is implemented in partnership with leading telecom providers, ensuring that every charging station, regardless of its hardware capabilities, can connect to our platform securely.

Ecosystem security

We understand that our network's integrity is not solely dependent on our internal measures but also on the robustness of our cooperations with vendors and partners.