Transit-Grade Security & Compliance

Annual SOC 2 Type II audit covering security, availability, processing integrity, confidentiality, and privacy. Trust services criteria applied to transit data processing, real-time vehicle tracking systems, and rider personal information management. Audit reports available to municipal clients upon request.

• Continuous monitoring of transit platform infrastructure and data access
• Automated vulnerability scanning of rider-facing applications and APIs
• Change management controls for schedule data, fare configuration, and system updates
• Incident response procedures specific to transit operations disruption
• Data retention and destruction controls per municipal policy

Information security management system aligned with ISO 27001 framework. Risk assessment processes cover transit-specific threats: vehicle GPS data exposure, paratransit rider health information, fare revenue data integrity, and third-party hardware integration security.

• Annual risk assessment including transit-specific threat vectors
• Asset classification for transit data types: operational, rider PII, health information, financial
• Supplier security assessment for CAD/AVL, farebox, APC, and hardware vendors
• Business continuity planning for transit operations during technology failures
• Security awareness training for transit staff handling rider data

Cybersecurity controls aligned with NIST CSF: Identify (transit technology assets), Protect (access controls, encryption), Detect (monitoring, anomaly detection), Respond (incident handling, dispatch continuity), Recover (service restoration, data recovery).

• Transit technology asset inventory across cloud, on-premises, and onboard systems
• Network segmentation between dispatch operations, rider-facing services, and corporate systems
• Real-time monitoring for unauthorized access to vehicle tracking and rider data systems
• Incident response playbook for transit-specific scenarios (ransomware, data breach, GPS spoofing)
• Recovery time objectives: dispatch <1 hour, rider apps <4 hours, analytics <24 hours

Implementation of CIS Critical Security Controls across transit technology infrastructure. Priority controls for transit-grade reliability: endpoint protection for dispatch workstations, secure configuration for GTFS publication, and API security for third-party integrations.

• Hardened configurations for dispatch consoles and administrative workstations
• API gateway security with rate limiting, OAuth 2.0, and request validation for transit APIs
• Secure GTFS-RT feed publication with access logging and anomaly detection
• Continuous vulnerability management across rider-facing web applications and mobile apps
• Security event logging and SIEM integration for transit platform monitoring