Security Policy
1. Overview
At Validation Ledger, we prioritize the security and privacy of all stakeholders involved in the freight lifecycle—shippers, brokers, carriers, drivers, and factoring companies. Our platform is built on a foundation of zero-trust principles and verified identity, ensuring that only authenticated parties engage in business transactions. This policy outlines the controls we've implemented to preserve the confidentiality, integrity, and availability of our systems and data, particularly as they relate to fraud prevention, document verification, and user authentication.
2. Information Security Program
- Regular Security Assessments & Audits: Routine code reviews, penetration tests, and third-party audits help us proactively identify and mitigate vulnerabilities.
- Continuous Monitoring & Threat Detection: We leverage AWS CloudWatch, AWS WAF, and custom alerting for real-time threat monitoring across all environments.
- Incident Response Procedures: Defined playbooks ensure swift containment, investigation, and communication of any potential security breach.
- Employee Security Awareness Training: All staff are trained on phishing detection, data handling protocols, and secure development practices, including threat modeling.
- Access Control & Authentication Measures: Access is granted strictly on a need-to-know basis using least privilege principles, supported by AWS Cognito, RBAC, and device binding.
3. Data Protection
- Encryption in Transit and at Rest: All data is encrypted using industry standards (TLS 1.2+ in transit, AES-256 at rest via AWS KMS).
- Secure Backup & Disaster Recovery: Encrypted backups are stored redundantly across AWS regions with daily snapshots and recovery drills.
- Vulnerability Management: We run weekly scans using tools like AWS Inspector and GitHub Dependabot to identify known CVEs.
- Secure Development Lifecycle (SDLC): Security is integrated into our CI/CD pipeline, with tools like GitHub Actions enforcing pre-deployment checks and static code analysis.
4. Access Control
- Role-Based Access Control (RBAC): All user actions are scoped by role—broker, shipper, driver, etc.—and enforced in both UI and API layers.
- Multi-Factor Authentication (MFA): MFA is required for all admin access and high-privilege operations. Driver-level security tiers also support facial and voice authentication.
- Access Reviews & Audit Trails: Monthly access reviews are performed to validate role assignments. All access events are logged and stored immutably.
- Password & Credential Policies: Passwords follow NIST guidelines and are rotated periodically. Secrets are managed using AWS Secrets Manager.
5. Incident Response
- 24/7 Monitoring & Alerting: Security events are ingested by CloudWatch and AlertManager, triggering SMS/email alerts for critical thresholds.
- Dedicated IR Team: Our response team includes security engineers, infrastructure leads, and customer support for cross-functional resolution.
- Simulated Drills: Scheduled tabletop exercises are performed to evaluate our readiness for data breaches, impersonation attempts, and DDoS scenarios.
- Clear Communication Protocols: Customers and stakeholders are notified through predefined channels based on severity, with post-mortem reports generated for every major incident.
6. Compliance
- Request deletion of their personal data.
- Request access to retained information.
- Opt out of unnecessary data sharing.
- Data Localization: User data is processed and stored within the United States to comply with legal and regulatory expectations for domestic freight operations.
- Vendor & API Security: All third-party providers (e.g., AWS, ID verification APIs) are reviewed regularly for compliance and security posture.
- Policy Reviews: Our security policies will be reviewed at least annually, or after any significant system change or security incident.
Data Retention and Disposal Policy
1. Purpose
This policy outlines how Validation Ledger manages the retention and secure disposal of personal and business data collected through our platform. Our practices are designed to comply with applicable regulations including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
2. Scope
This policy applies to all personal data, identity verification records, and associated documentation processed through the Validation Ledger platform by users in roles such as shipper, broker, carrier, driver, and factoring agent.
3. Data Retention Schedule
| Data Type | Retention Period | Purpose |
|---|---|---|
| User Identity Documents (e.g. DLs) | 3 years from account deactivation | Fraud resolution, compliance |
| Freight Transactions & BOLs | 7 years | Regulatory record-keeping |
| Chat and Communication Logs | 2 years | Dispute resolution and auditability |
| Authentication Logs | 1 year | Security and access investigation |
| Unverified or Abandoned Accounts | 30 days post inactivity | Minimize storage of stale personal information |
4. User Rights
- Request deletion of their personal data
- Request access to retained information
- Opt out of unnecessary data sharing
All verified deletion requests are processed within 45 days, with potential extensions as allowed by law.
5. Data Disposal Process
When data reaches the end of its retention period, it is securely deleted or anonymized:
- Structured Data (e.g., MongoDB, DynamoDB): Programmatic deletion with backup purging
- Unstructured data (e.g., S3 file objects): Lifecycle rules automatically delete expired documents
- Backups: Redundant encrypted backups are retained and disposed after their lifecycle (typically 30-90 days)
- Blockchain records: Immutable on-chain hashes are permanent, but off-chain personal metadata is purged
6. Policy Review and Contact
This policy is reviewed annually or after any significant legal, technical, or operational change. For questions or data deletion requests, users can contact: admin@validationledger.com