Project overview ¶
This website provides technical documentation for the
benefits application from the
California Integrated Travel Project (Cal-ITP).
Documentation for the
dev (default) branch is available online at: https://docs.calitp.org/benefits.
Cal-ITP Benefits is an application that enables automated eligibility verification and enrollment for transit benefits onto customers’ existing contactless bank (credit/debit) cards.
The development of this publicly-accessible client is being managed by Caltrans’ California Integrated Travel Project (Cal-ITP), in partnership with the California Department of Technology (CDT). From the Cal-ITP site:
Our Cal-ITP Benefits web application streamlines the process for transit riders to instantly qualify for and receive discounts, starting with Monterey-Salinas Transit (MST), which offers a half-price Senior Fare. Now older adults (65+) who are able to electronically verify their identity are able to access MST’s reduced fares without the hassle of paperwork.
We worked with state partners on this product launch, and next we’re working to bring youth, lower-income riders, veterans, people with disabilities, and others the same instant access to free or reduced fares across all California transit providers, without having to prove eligibility to each agency.
The application is accessible to the public at benefits.calitp.org.
Technical details ¶
benefits is a Django 4 web application. The application talks to one or more Eligibility Verification APIs or authentication providers. These APIs and the application are
designed for privacy and security of user information:
- The API communicates with signed and encrypted JSON Web Tokens containing only the most necessary of user data for the purpose of eligibility verification
- The application requires no user accounts and stores no information about the user
- Interaction with the application is anonymous, with only minimal event tracking for usage and problem analysis
Running the application locally is possible with Docker and Docker Compose. Hosting information.
The user interface and content is available in both English and Spanish. Additional language support is possible via Django’s i18n and l10n features.
The application communicates with external services like Littlepay via API calls and others like the Identity Gateway via redirects, both over the public internet. See all the system interconnections.
Cal-ITP takes security and privacy seriously. Below is an overview of how the system is designed with security in mind.
The Benefits application is deployed to Microsoft Azure. Traffic is encrypted between the user and the application, as well as between the application and external systems.
The network is managed by the California Department of Technology (CDT), who provide a firewall and distributed denial-of-service (DDoS) protection.
You can find more technical details on our infrastructure page.
Data storage ¶
The Benefits application doesn’t collect or store any user data directly, and we minimize the information exchanged between systems. The following information is temporarily stored in an encrypted session in the user’s browser:
- The user’s progress
- Credentials for interacting with the eligibility verification services
Sensitive user information exists in the following places:
- To enroll in a senior discount, users need to provide personal information to Login.gov.
- Users need to provide their credit or debit card information to our payment processor (Littlepay) to enroll in a discount.
None of that information is accessible to the Benefits system/team.
Learn more about the security/privacy practices of some of our third-party integrations:
Benefits collects analytics on usage, without any identifying information. (IP addresses are filtered out.)
Dependabot immediately notifies the team of vulnerabilities in application dependencies.
Upon doing new major integrations, features, or architectural changes, the Benefits team has a penetration test performed by a third party to ensure the security of the system.
All code changes are reviewed by at least one other member of the engineering team, which is enforced through branch protections.