Hop And Haul Policy Findings & Remediation Plan

Document ID: PLCY-FRP-001
Assessment Date: December 22, 2025
Assessor: Internal Policy Review
Status: Remediation Complete
Completion Date: December 22, 2025
Version: 1.4
Owner: Hop And Haul Team

CONFIDENTIAL

This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.

Executive Summary

This document tracks findings identified during internal policy review and their remediation status. The review assessed alignment with compliance Trust Service Criteria, DOT/FMCSA compliance, litigation readiness, and operational executability.

Total Policy Documents: 23

Metric	Count
Total Findings	12
Critical	2 (2 Remediated)
High	4 (4 Remediated)
Medium	4 (4 Remediated)
Low	2 (1 Closed, 1 Remediated)
Status	All Remediated

Findings Register

ID	Finding	Severity	Impacted Documents	Status	Remediation Action
F-001	Inconsistent retention schedules across documents	Critical	PLCY-LIA-001, PLCY-INC-001, PLCY-DATA-001, PLCY-AUD-001, PLCY-SEC-001	Remediated	Created PLCY-RET-001 Records Retention Policy, updated all docs to reference
F-002	Emergency voice override lacks recording consent documentation	Critical	PLCY-VOI-001	Remediated	Added recording basis logging, emergency categories, audit trail requirements
F-003	Manual verification workflow undefined	High	PLCY-VAL-001	Remediated	Defined controlled exception process with evidence, approval authority, expiration
F-004	Placeholder values throughout all documents	High	All 15 documents	Remediated	Filled all [DATE], [ROLE], [NAME], [DEFINED] placeholders
F-005	No policy index/governance document	High	N/A	Remediated	Created PLCY-IDX-001 policy-index.md with full registry and criteria mapping
F-006	DOT push notification language too definitive	High	PLCY-COM-001	Remediated	Softened language, added compliance disclaimer
F-007	No global offer rate limiting	Medium	PLCY-COM-001, PLCY-VOI-001	Remediated	Added Section 8.4 with hourly limits, quiet hours, post-decline suppression
F-008	No accident handling RACI matrix	Medium	PLCY-LIA-001	Remediated	Created Section 5.4 with consolidated RACI matrix
F-009	Control testing artifacts undefined	Medium	N/A	Remediated	Created PLCY-CTL-001 control-testing-procedures.md with full test definitions
F-010	Fuzzification algorithm lacks precision detail	Medium	PLCY-SEC-001	Remediated	Added algorithm specifications and anti-triangulation measures
F-011	Missing dependency claim for safety-buffer-parameters.md	Low	PLCY-VOI-001	Closed	File exists (false positive in original review)
F-012	Emergency/safety-urgent categories not distinguished	Low	PLCY-VOI-001, PLCY-COM-001	Remediated	Added EMERGENCY vs SAFETY_URGENT category definitions in Section 7.2

Detailed Findings

F-001: Inconsistent Retention Schedules (Critical)

Description: Retention periods vary across documents without justification:

Accident framework: 7-10 years, some permanent
Incident response: 24-36 months
Data classification: 6-24 months by category
Audit trail specs: 3-24 months by category
Security controls: 12-24 months

Risk: compliance auditors will flag as control weakness. Litigation readiness compromised—conflicting retention schedules create discovery confusion.

Remediation: Create canonical Records Retention & Legal Hold Policy (PLCY-RET-001). Update all impacted documents to reference authoritative schedule.

Description: Current policy states "recording consent waived" for emergencies without documenting legal basis or establishing audit trail.

Risk: In all-party consent states (CA, CT, DE, FL, IL, MD, MA, MI, MT, NV, NH, PA, WA), blanket consent waiver may not hold. If recording challenged post-incident, lack of documented basis weakens defense.

Remediation:

Define EMERGENCY vs SAFETY_URGENT categories
Establish recording basis documentation requirements
Create emergency mode audit trail fields
Require post-emergency documentation within 24 hours

F-003: Manual Verification Workflow Undefined (High)

Description: Pre-transaction validation document states "pending verification" escalation exists but lacks:

Required evidence by validation type
Approval authority matrix
Expiration timeline
Audit trail requirements

Risk: Creates shadow override pathway. Auditors will flag as control gap.

Remediation: Define complete manual verification workflow with evidence requirements, approval authority, 4-hour expiration, and comprehensive logging.

F-004: Placeholder Values (High)

Description: All 15 policy documents contain unfilled placeholders: [DATE], [ROLE], [NAME], [DEFINED]

Risk: compliance auditors treat as "policy exists but governance not operationalized." Indicates documents are drafts, not production policies.

Remediation: Fill all placeholders with actual values:

Effective dates and review dates
Role titles (Safety Director, Operations Manager, etc.)
Author attribution
Contact methods and escalation procedures

F-005: No Policy Index (High)

Description: No master document listing all policies, their owners, review dates, and cross-references to compliance criteria.

Risk: Governance gap. Difficult to demonstrate policy coverage during audits.

Remediation: Create policy-index.md with document registry, ownership matrix, review schedule, and compliance criteria mapping.

F-006: DOT Push Notification Language (High)

Description: Statement "Push notifications are NOT automatically texting" reads as legal conclusion rather than compliance documentation.

Risk: Overstating position invites challenge. Better to document compliance efforts than declare regulatory interpretation.

Remediation: Reframe as "designed to minimize risk of being considered texting" with supporting controls enumerated.

F-007: No Global Offer Rate Limiting (Medium)

Description: Individual offer retry limits exist but no system-wide throttling:

No maximum offers per hour
No quiet hours
No post-decline suppression period (inconsistent with voice policy 30-min rule)

Risk: Volume-based coercion still possible. Inconsistent treatment across communication methods.

Remediation: Add global rate limits: max 3/hour, quiet hours 10PM-6AM, 30-min post-decline suppression.

F-008: No Accident RACI Matrix (Medium)

Description: Accident handling responsibilities distributed across multiple documents without consolidated responsibility assignment.

Risk: Real incidents get messy when ownership unclear. Multiple teams may assume others are handling critical actions.

Remediation: Create single RACI matrix covering: scene safety, evidence capture, insurer notification, DOT reportability, driver communication, legal hold, workers' comp, post-incident review.

F-009: Control Testing Undefined (Medium)

Description: Policies state controls exist but don't define how they're tested:

What queries/reports validate controls
Test frequency and ownership
Expected outputs
Results storage

Risk: "How do you test controls actually work?" is standard compliance auditor question.

Remediation: Create control testing procedures document defining test method, frequency, owner, and results storage for each key control.

F-010: Fuzzification Algorithm Imprecise (Medium)

Description: Security controls mention "1-2 mile radius" fuzzification but don't specify:

Deterministic vs random offset
Refresh cadence
Whether repeated offers leak position through triangulation

Risk: Auditors will ask for precision. Position leakage through sampling is valid privacy concern.

Remediation: Document: random offset, new offset per offer, non-deterministic, cannot triangulate from <10 samples.

F-011: Missing safety-buffer-parameters.md (Low) - CLOSED

Description: Review claimed voice policy references missing file.

Finding: File exists at /docs/policies/safety-buffer-parameters.md with Document ID PLCY-BUF-001. Reference is valid.

Status: Closed - false positive in original review.

F-012: Emergency Category Undefined (Low)

Description: No clear criteria distinguishing "emergency" (bypass all gates) from "safety urgent" (elevated priority, standard rules).

Risk: Operator discretion without guidance. May over-trigger or under-trigger emergency mode.

Remediation: Define categories with explicit criteria in voice agent and communication protocol documents.

Remediation Timeline

Phase	Target	Findings	Deliverables
Phase 1	Immediate	F-004, F-005	Fill placeholders, create policy-index.md
Phase 2	Week 1	F-001, F-002	Create retention policy, update emergency override
Phase 3	Week 2	F-003, F-006, F-007	Manual verification workflow, DOT language, rate limits
Phase 4	Week 3	F-008, F-009, F-010, F-012	RACI matrix, control testing, fuzzification, emergency categories

Policy Enhancements

The following policies were added proactively to strengthen compliance posture:

Document ID	Title	Purpose
PLCY-GOV-001	Governance & Assumptions	SaaS model, team roles, customer vs platform responsibility, liability boundaries
PLCY-DRP-001	Disaster Recovery Plan	Single-box AMI architecture, RDS Multi-AZ, recovery objectives (RTO/RPO), backup strategy
PLCY-RSK-001	Risk Assessment Policy	Risk framework, tabletop exercise program, scenario library, continuous risk monitoring
PLCY-INF-001	Infrastructure Sizing	EC2/RDS capacity sizing, WebSocket limits, cost estimation, scaling triggers
PLCY-ORG-001	Organization & Domain Policy	Multi-tenant model, domain verification, self-registration, JWT claims

Infrastructure Architecture Documented

Single EC2 instance (r6g.xlarge, 32GB) behind Cloudflare Tunnel
No public ports exposed (all traffic via Cloudflare Tunnel)
Swift Vapor application runtime (compiled, memory-safe)
RDS PostgreSQL Multi-AZ (db.t3.small/medium, 2-4GB) with automatic failover
AMI-based deployment and recovery (not container/ECR)
Stateless JWT authentication with role-based access control
Multi-tenant organization-scoped data isolation with domain verification

Recovery Objectives Established

Tier	Systems	RTO
Tier 1 - Critical	Authentication, Core API, Driver matching	1 hour
Tier 2 - Essential	Reporting, Notifications, Voice agent	4 hours
Tier 3 - Standard	Analytics, Admin dashboards	24 hours

Tabletop Exercise Schedule

Exercise Type	Frequency
Security incident	Quarterly
Infrastructure failure	Quarterly
Data breach	Bi-annually
Business continuity	Annually

Approval & Sign-Off

Role	Name	Date	Signature
Safety Director
Operations Director
Legal Counsel
Final Approval

Document Control

Version	Date	Author	Changes
1.0	December 22, 2025	Hop And Haul Team	Initial findings register
1.1	December 22, 2025	Hop And Haul Team	All findings remediated, status updated
1.2	December 22, 2025	Hop And Haul Team	Added PLCY-DRP-001 Disaster Recovery Plan, PLCY-RSK-001 Risk Assessment Policy
1.3	December 22, 2025	Hop And Haul Team	Updated to single-box AMI architecture, added PLCY-INF-001, PLCY-ORG-001
1.4	December 22, 2025	Hop And Haul Team	Added PLCY-GOV-001 Governance & Assumptions

Hop And Haul Policy Findings & Remediation Plan ​

Executive Summary ​

Findings Register ​

Detailed Findings ​

F-001: Inconsistent Retention Schedules (Critical) ​

F-002: Emergency Voice Override Recording Consent (Critical) ​

F-003: Manual Verification Workflow Undefined (High) ​

F-004: Placeholder Values (High) ​

F-005: No Policy Index (High) ​

F-006: DOT Push Notification Language (High) ​

F-007: No Global Offer Rate Limiting (Medium) ​

F-008: No Accident RACI Matrix (Medium) ​

F-009: Control Testing Undefined (Medium) ​

F-010: Fuzzification Algorithm Imprecise (Medium) ​

F-011: Missing safety-buffer-parameters.md (Low) - CLOSED ​

F-012: Emergency Category Undefined (Low) ​

Remediation Timeline ​

Policy Enhancements ​

Infrastructure Architecture Documented ​

Recovery Objectives Established ​

Tabletop Exercise Schedule ​

Approval & Sign-Off ​

Document Control ​