---------- Forwarded message ---------From: John Flynn
Date: Mon, Dec 12, 2016 at 5:15 PM
Subject: Data Access Controls at Uber
To: Global Uber Team
Hey Team,
You may have seen a news story today about some of Uber’s privacy and security practices. Much of
the information is out of date and doesn’t accurately reflect the state of our practices today, so I
wanted to update you on what we’re doing to protect user data.
Like every fast-growing company, we haven’t always gotten everything perfect. But without the trust
of our customers we have no business. That’s why we continue to make major improvements to our
security systems and policies to ensure that rider and driver data is protected.
For many years, we’ve had a policy prohibiting unauthorized access, and over time, we’ve invested
even more in locking down and logging that access. You know about those rules because you signed
the agreement when you started at Uber, heard about them during Uberversity training, and receive
regular reminders via email and internal all-hands meetings.
Over the past several years, we’ve hired hundreds of security and privacy experts who work around
the clock to protect user data. Our team includes experts in authentication, authorization, encryption
and access management.
As you’ve probably noticed, particularly in the last year, we’ve significantly strengthened the tools
and processes that restrict internal access to user data:
• All employees are required to acknowledge and agree to a data access policy, including at onboarding. You’re reminded of this policy every time you access internal data tools once you
have the required permission (see below). All data access is logged and routinely audited,
and all potential violations are quickly and thoroughly investigated. We have terminated
employees in the past for violating this policy.

 • It’s absolutely untrue that all (or nearly all) employees have access to customer data, with or
without prior approval. This is more than simply the “honor system”: we have built entire
systems to implement technical and administrative controls that limit access to customer
data to those employees who require it to perform their jobs. This could include multiple
steps of approval—by managers and the legal team—to ensure there is a legitimate
business case for providing access.
• What’s more, this access is granular: if an employee has access to some customer data, she
does not have access to all customer data. Access is granted to specific types of data based
on an employee’s role and the specific purpose at hand.
• Many employees are in operational roles and have legitimate reasons to access customer
data. For example, our anti-fraud team have access to trip data so they can investigate
allegations of scams and compromised accounts. Some employees have access to driver
profiles in order to check the validity of insurance documents required by law. And in the
case of a traffic incident, a dedicated member of our safety team needs to access customer
data to conduct a proper investigation and help the affected parties reach resolution.
We want our security and privacy practices and technology to be world-class, and we’re moving
quickly toward that goal. Every time a rider or driver uses Uber, they entrust us with data that it’s
the responsibility of each and every one of us to protect it.
John "Four" Flynn
Chief Information Security Officer