Bro Cabs (Pty) Ltd – User Security Policy
User Security Policy 20025/07/20
1. Purpose
This User Security Policy sets out the security requirements, responsibilities and best
practices that all users (“Users”) of the Bro Cabs mobile and web application (“App”) must follow.
Its aim is to protect User accounts, personal data and ensure the integrity and availability of the App’s services.
2. Scope Applies to:
- All registered Users of the Bro Cabs App (drivers and riders)
- Any device used to access the App or its web portal
- All personal data, credentials, and in‐App communications
3. Definitions
- User Account: The unique profile created by a User to access Bro Cabs services.
- Credentials: Username, password, PIN, or biometric data used for authentication.
- Sensitive Data: Personal information protected under POPIA (e.g., name, contact details,
location history, payment methods).
- Multi‐Factor Authentication (MFA): Use of two or more independent credentials for
verifying identity.
4. Policy Statements
4.1 Account Security
- Unique Credentials: Users must register with a unique email or phone number and choose
a strong password (minimum 8 characters, mixing letters, numbers and symbols).
- No Sharing: Credentials must never be shared. Any suspected compromise must be
reported immediately.
- Password Management: Users should change passwords at least every 90 days and avoid
re‐using passwords from other services.
4.2 Authentication & MFA
- MFA Prompt: The App will prompt Users to enable MFA (SMS OTP or authenticator app).
- Fallback Procedures: If an MFA device is lost, Users can reset via a secure 'lost device' flow
with verification of identity (OTP + ID check).
4.3 Device Security
- OS & App Updates: Users must keep their device OS and the Bro Cabs App up to date to
receive security patches.
- Lock Screens: Devices should be secured with a PIN, pattern, password or biometric lock.
- Public Wi‐Fi: Avoid conducting in‐App payment or sensitive operations over unsecured
networks. If unavoidable, Users should use a trusted VPN.
4.4 Data Protection & Privacy
- Minimal Data Principle: The App collects only the data necessary to provide services (ride
details, location).
- Encryption: All data in transit is encrypted with TLS; sensitive data at rest is encrypted per
POPIA requirements.
- Consent: Users must consent to location tracking and data processing. Consent may be
withdrawn in Settings, which may limit App functionality.
4.5 Network & Session Security
- Automatic Logout: Inactivity of 15 minutes will trigger automatic session timeout.
- Session Tokens: The App uses short‐lived tokens; refresh tokens require re‐authentication
after 30 days.
4.6 Incident Reporting
- User Obligations: Report any of the following promptly to security@brocabs.co.za:
- Suspected unauthorized access
- Lost device with the App installed
- Phishing attempts or suspicious communications
- Company Response: Bro Cabs will acknowledge within 2 business hours, investigate, and
guide Users on mitigation steps.
4.7 User Conduct
- No Reverse Engineering: Users must not decompile or reverse‐engineer the App.
- Respect Privacy: Do not record or share personal data of other Users (drivers or riders)
without explicit consent.
- Prohibited Content: Users must not upload malware, spam or illicit content via in‐App
messaging.
5. Compliance and Enforcement
- Monitoring: Bro Cabs may monitor for anomalies (e.g., impossible travel, multiple failed
logins).
- Non‐Compliance: Violations may result in temporary suspension or permanent
termination of User accounts, and, where applicable, referral to law enforcement.
6. Review and Updates
- This policy is reviewed annually or upon significant change to legal or technical
frameworks.
Contact
For questions or assistance, please email legal@brocabs.co.za