Appearance
Security Controls Documentation
Document ID: PLCY-SEC-001
Effective Date: December 22, 2025
Last Review: December 22, 2025
Owner: Hop And Haul Team
CONFIDENTIAL
This document is CONFIDENTIAL and for internal use only. Do not distribute outside the organization.
1. Purpose
This document defines the security controls implemented in Hop And Haul to satisfy SOC II Common Criteria (CC) requirements for Security, Availability, and Processing Integrity.
2. Control Framework Mapping
| SOC II Criteria | Control Area | Section |
|---|---|---|
| CC6.1 | Logical Access Controls | 3.1 |
| CC6.2 | System Access Authentication | 3.2 |
| CC6.3 | Access Authorization | 3.3 |
| CC6.6 | Encryption | 4 |
| CC6.7 | Transmission Security | 5 |
| CC7.1 | Vulnerability Management | 6 |
| CC7.2 | System Monitoring | 7 |
| CC7.3 | Change Management | 8 |
3. Logical Access Controls (CC6.1, CC6.2, CC6.3)
3.1 Server-Side Enforcement
Control: All matching logic executes server-side only
| Requirement | Implementation |
|---|---|
| No client-side route calculations | Matching API returns only approved results |
| No full route exposure pre-match | Client receives fuzzed location only |
| No driver PII before acceptance | Names/contact hidden until match confirmed |
Rationale: Prevents data leakage through client-side code inspection or manipulation.
3.2 Authentication Controls
| Control | Specification |
|---|---|
| Identity provider | SSO integration required |
| Multi-factor authentication | Required for Ops/Safety, Admin roles |
| Mobile authentication | SSO + device PIN/biometric |
| Session management | Server-side session tracking |
| Password policy | Managed by corporate SSO |
3.3 Token Management
| Token Type | Lifetime | Scope | Revocation |
|---|---|---|---|
| Session token | 8 hours max | User session | Logout or timeout |
| Ride tracking token | Until drop-off + 15 min | Single ride | Auto-expire |
| API bearer token | 24 hours | Service integration | Rotation policy |
| Refresh token | 7 days | Token renewal | Revocation list |
Auto-Expiration: Tracking tokens automatically invalidate after ride completion to prevent stale access.
3.4 Time-Limited Access
| Access Type | Duration | Extension |
|---|---|---|
| Ride offer visibility | 15 minutes | None |
| Post-match contact access | Ride duration + 15 min | None |
| Rating submission window | 24 hours post-completion | None |
| Admin session | 4 hours | MFA re-verification |
4. Encryption Controls (CC6.6)
4.1 Data at Rest
| Data Store | Encryption Method | Key Management |
|---|---|---|
| Primary database | AES-256-GCM | AWS KMS / equivalent |
| Backup storage | AES-256 | Separate key hierarchy |
| Log storage | AES-256 | Log-specific keys |
| File attachments | AES-256 | Per-tenant keys |
4.2 Data in Transit
| Connection Type | Protocol | Minimum Version |
|---|---|---|
| Client to API | TLS | 1.3 |
| API to database | TLS | 1.2 (1.3 preferred) |
| Service to service | mTLS | 1.2 |
| External integrations | TLS | 1.2 |
4.3 Key Rotation
| Key Type | Rotation Frequency | Process |
|---|---|---|
| Master encryption keys | Annually | Automated with overlap |
| Service API keys | Quarterly | Zero-downtime rotation |
| Session signing keys | Monthly | Automated |
| TLS certificates | Annually | Automated renewal |
5. Transmission Security (CC6.7)
5.1 Data Minimization in Transit
| Data Element | Pre-Match Transmission | Post-Match Transmission |
|---|---|---|
| Driver location | Fuzzed (1-2 mi radius) | Precise pickup point |
| Driver identity | Not transmitted | First + last initial only |
| Phone number | Not transmitted | Masked format |
| Full route | Not transmitted | Own route only |
| Other driver routes | Never transmitted | Never transmitted |
5.2 API Security
| Control | Implementation |
|---|---|
| Rate limiting | Per-user and per-endpoint |
| Request validation | Schema validation on all inputs |
| Response filtering | Role-based field exclusion |
| CORS policy | Strict origin allowlist |
| API versioning | Deprecation policy enforced |
5.3 Location Data Protection
Fuzzification Algorithm:
- Pre-match: Random offset within 1-2 mile radius
- Direction displayed as city/region only
- Precise coordinates only after mutual acceptance
Fuzzification Algorithm Details:
| Aspect | Specification |
|---|---|
| Offset type | Random within radius |
| Radius | 1-2 miles (configurable per company) |
| Refresh | New random offset per offer (not per session) |
| Determinism | Non-deterministic to prevent triangulation |
| Minimum samples | Cannot derive true location from <10 offers |
| Direction bias | None (uniform distribution within radius) |
Anti-Triangulation Measures:
- Each offer generates a new random offset
- Offsets are not correlated across offers
- No persistent offset tied to driver identity
- Statistical analysis of multiple declines does not reveal true position
6. Vulnerability Management (CC7.1)
6.1 Vulnerability Scanning
| Scan Type | Frequency | Scope |
|---|---|---|
| Automated SAST | Every commit | Application code |
| Dependency scanning | Daily | Third-party libraries |
| Container scanning | Every build | Docker images |
| Infrastructure scanning | Weekly | Cloud resources |
| Penetration testing | Annually | Full application |
6.2 Remediation SLAs
| Severity | Response Time | Remediation Time |
|---|---|---|
| Critical | 4 hours | 24 hours |
| High | 24 hours | 7 days |
| Medium | 72 hours | 30 days |
| Low | 7 days | 90 days |
6.3 Patch Management
| Component | Patch Window | Testing Required |
|---|---|---|
| Critical security | Emergency | Smoke tests |
| OS/infrastructure | Monthly | Full regression |
| Application dependencies | Bi-weekly | Integration tests |
7. System Monitoring (CC7.2)
7.1 Security Event Logging
See PLCY-RET-001 Records Retention Policy for authoritative retention schedule.
| Event Category | Logged Elements | Retention |
|---|---|---|
| Authentication | Success/failure, IP, device | 24 months |
| Authorization | Access granted/denied, resource | 24 months |
| Data access | User, data type, timestamp | 24 months |
| Configuration changes | User, change detail, timestamp | 24 months |
| Security alerts | Alert type, severity, response | 24 months |
Retention periods aligned with PLCY-RET-001 for consistency across all security logs.
7.2 Alerting Thresholds
| Condition | Threshold | Response |
|---|---|---|
| Failed login attempts | 5 in 15 minutes | Account lockout, alert |
| Unusual access pattern | ML anomaly detection | Security review |
| Privilege escalation attempt | Any occurrence | Immediate alert |
| Data export volume | >100 records | Manager notification |
7.3 Log Protection
| Control | Implementation |
|---|---|
| Log integrity | Append-only storage |
| Access restriction | Security team only |
| Tampering detection | Cryptographic checksums |
| Backup | Separate secure location |
8. Change Management (CC7.3)
8.1 Change Categories
| Category | Approval Required | Testing Required |
|---|---|---|
| Emergency | Post-implementation review | Minimal |
| Standard | CAB approval | Full |
| Pre-approved | Template-based | Automated |
8.2 Deployment Controls
| Control | Requirement |
|---|---|
| Code review | Minimum 1 approver |
| Automated testing | All tests pass |
| Security scan | No critical findings |
| Rollback plan | Documented before deploy |
| Change window | Defined maintenance periods |
9. Physical Security
9.1 Cloud Infrastructure
| Control | Implementation |
|---|---|
| Data center security | SOC II certified provider |
| Geographic restrictions | Data residency enforced |
| Network isolation | VPC/private networking |
| DDoS protection | Cloud-native protection |
10. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [NAME] | Initial release |
| 1.1 | December 30, 2025 | Hop And Haul Team | Added NIST 800-53 mapping |
11. NIST 800-53 Control Mapping
This section maps Hop And Haul security controls to NIST 800-53 Rev 5 for FedRAMP Moderate compliance.
11.1 Access Control (AC) Family
| Control | Title | Section Reference | Status |
|---|---|---|---|
| AC-3 | Access Enforcement | 3.1, 3.3 | Implemented |
| AC-4 | Information Flow Enforcement | 5.1 | Implemented |
| AC-6 | Least Privilege | 3.2, 3.3 | Implemented |
| AC-7 | Unsuccessful Logon Attempts | 7.2 | Implemented |
| AC-11 | Device Lock | 3.4 | Implemented |
| AC-17 | Remote Access | 9.1 | Implemented |
11.2 System & Communications Protection (SC) Family
| Control | Title | Section Reference | Status |
|---|---|---|---|
| SC-8 | Transmission Confidentiality | 4.2, 5 | Implemented |
| SC-12 | Cryptographic Key Management | 4.3 | Implemented |
| SC-13 | Cryptographic Protection | 4.1, 4.2 | Implemented |
| SC-23 | Session Authenticity | 3.3 | Implemented |
| SC-28 | Protection of Information at Rest | 4.1 | Implemented |
11.3 Configuration Management (CM) Family
| Control | Title | Section Reference | Status |
|---|---|---|---|
| CM-3 | Configuration Change Control | 8 | Implemented |
| CM-7 | Least Functionality | 3.1 | Implemented |
11.4 System & Information Integrity (SI) Family
| Control | Title | Section Reference | Status |
|---|---|---|---|
| SI-2 | Flaw Remediation | 6 | Implemented |
| SI-4 | System Monitoring | 7 | Implemented |
| SI-10 | Information Input Validation | 5.2 | Implemented |
11.5 FedRAMP-Specific Enhancements (Planned)
| Enhancement | Target Control | Timeline |
|---|---|---|
| FIPS 140-2 validated modules | SC-13 | Phase 3 |
| PIV/CAC authentication | IA-2(12) | Phase 3 |
| File integrity monitoring | SI-7 | Phase 3 |
For complete NIST 800-53 control mapping, see Control Mapping Matrix.