Mobvynt processes only open, aggregate public-sector data feeds. No PII is collected or retained at any stage of the pipeline. Our security architecture is designed with FISMA controls in mind and follows a SOC 2 controls framework — audit in progress. We don't claim certifications we haven't completed. If your procurement requires specific documentation, we provide it directly.
Mobvynt ingests aggregate feeds only: boardings per stop, counts per intersection, docks per station. No individual trip trajectories, no user identifiers, no vehicle-level tracking are stored at any point in the pipeline.
Intersection camera integration uses aggregated count outputs from NTCIP and REST APIs. No video footage is ever transmitted to Mobvynt systems or retained in any form. The API integration retrieves only numeric count values.
Every data source is an open standard (GTFS, GBFS, NTCIP, LODES, ACS) that agencies already publish or operate. No proprietary mobility data partnerships, no commercial location data vendors, no passive consumer tracking.
All data in transit is encrypted via TLS 1.3. Data at rest is encrypted using AES-256. Encryption keys are managed through a dedicated key management service with annual rotation schedules.
Role-based access control with SSO/SAML 2.0 integration for agency identity providers. Multi-factor authentication is enforced for all administrative and analyst accounts. Least-privilege access principles throughout.
Immutable audit logs of all data access, query execution, and export events. Available for agency review on request. Retained for 12 months minimum. Log integrity verified through cryptographic chaining.
Agency data is processed and stored in US-based cloud regions. No cross-border data transfer. Data processing agreements (DPA) available on request for agencies with specific residency contractual requirements.
Standard DPA available. Custom DPA terms supported for agencies with specific procurement requirements. Review cycles coordinated with your agency legal counsel.
Written incident response plan with defined notification timelines. Agency notification within 72 hours of any confirmed incident involving agency data. Annual plan review and tabletop exercises.
Annual third-party penetration testing of the platform API and web application. Test reports available under NDA for agencies completing procurement evaluation.
For security documentation, DPA requests, or penetration test reports, contact: [email protected] subject line "Security inquiry."
For DPA drafts, penetration test reports, or a security posture briefing for your agency IT or legal team, contact us directly.
Contact Our Team