Interline builds infrastructure that enterprise organizations and public agencies depend on for transit data, routing, and related informational and analysis services. We take the security of that data seriously, and this page describes how we protect it.
Data Handling
- Transit data: Schedules, routes, stop locations, and related content is sourced from public agency feeds and is not personal data.
- API requests submitted to Transitland APIs and the Interline Routing Platform may include query parameters such as location coordinates, place names, or other inputs depending on the API and request type. These parameters are used solely to compute and return the requested result. They are not stored in persistent systems, shared with third parties, or used for any secondary purpose. Operational request logs are retained for engineering and system monitoring purposes. API request metadata is retained for billing purposes.
- User records and associated billing records are not sold to other entities or used for any secondary purpose besides providing our services to our users.
- Interline has executed Data Processing Agreements with all service providers that handle customer personal data, including identity, payments, support, and infrastructure providers.
💡
Enterprise clients with specific data handling, privacy, or compliance requirements are encouraged to contact us.
Infrastructure
- Interline's production infrastructure runs on major cloud providers including Microsoft Azure.
- All API traffic is served over HTTPS with TLS 1.2 or higher.
- Edge traffic is protected against DDoS attacks by Cloudflare.
- Data at rest is encrypted using AES-256.
Access Controls
- All internal access to production systems requires multi-factor authentication. Access to management interfaces is restricted by network-level controls and protected by MFA. Access is provisioned on a least-privilege basis and reviewed on a regular cadence.
- API access is controlled via scoped API keys. Keys can be rotated or revoked at any time.
- Access by Interline's staff and contractors is controlled via RBAC and written policies.
Responsible Disclosure
If you believe you have found a genuine security vulnerability in Interline's production APIs or web properties, please contact info@interline.io with a clear description of the issue and steps to reproduce it. We will acknowledge receipt within two business days. Please do not publicly disclose findings until we have had a reasonable opportunity to investigate.
💡
Interline does not operate a bug bounty program and does not offer compensation for vulnerability reports. We are grateful for good-faith disclosures but are not in a position to respond to automated scan results, generic advisories, or reports concerning third-party software we do not use or have control over.