Optima security

PTV Optima collects and enhances information from real-time data sources, in order to provide value added prediction and simulation outputs to Traffic Management Centers and associated services.

For this reason, PTV Optima stores and processes data that can be accessed by authorized third party systems using APIs.

All data exchanged in this manner supports standard security protocols.

Optima data is completely anonymous except for the user information (name, email) used to create user accounts.

No other personal data is stored in Optima, except data for evaluating KPIs and producing traffic forecasts, stored in an anonymous aggregated way.

When internally evaluated in terms of a privacy impact analysis against EU standards (GDPR 2016/679), it was found to have a very low impact.

Furthermore, no stored information can be extracted from the Optima DB without conducting an attack that exploits the server or infrastructure vulnerabilities in which it is installed.

With this scope, all recommended best practices and procedures are followed to secure this infrastructure as the primary defense against attacks.

Upon client request, further security measures and procedures can be implemented during project delivery to counter specific threats. These measures can be provided as a specific service which is usually not included in PTV standard contracts.

The main technical security measures implemented in the product are:

• Passwords for users, encrypted using bcrypt based on the Blowfish encryption algorithm (see → Optima passwords management).

  Password information is not stored in clear text but coded with a secure hash.

  It is not visible in any phase of the user registration process.

• Data Exchange with external systems and users is only possible through the defined APIs, secured by the infrastructure security. In a headless environment (without Traffic Supervisor) stored data cannot be accessed other than via the API (see → List of API endpoints). Any API connection request requires a valid session ID with a configurable time expiration (see → Authentication).

• Optima communications are secured with HTTPS protocol, both with Traffic Supervisor and the API endpoints. PTV recommends the use of a certificate signed by a reliable CA.

• Cookies configuration: server side, maximum security levels have been enforced for Traffic Supervisor’s cookie options.