Security & Data Protection

Your students' data and your school's operations are our responsibility. Here's how we protect them.

Infrastructure

✓ Role-based access control with per-endpoint authorization
✓ Multi-tenant isolation (every query scoped by organization)
✓ Standard browser-level attack protections, always on (HSTS, CSP, X-Frame-Options via Helmet)
✓ Rate limiting (prevents brute force and abuse)
✓ Input validation on all API endpoints
✓ Password policy enforcement (minimum length, complexity requirements)
✓ Sign-in links can't be stolen from our database — we store only a fingerprint, never the link (SHA-256)
✓ Sessions expire fast and stolen ones are detected and killed (short-lived tokens, rotation, replay detection)
✓ Driver's licenses and passports are individually encrypted — even someone with database access can't read them (AES-256-GCM)
✓ A payment event can only ever be processed once — no duplicate charges from retries or glitches

✓ Append-only audit log (every change tracked with who, what, when, before/after)
✓ Balances can't be corrupted by two things happening at once — money operations take turns, enforced by the database
✓ The database itself refuses to save two bookings for the same aircraft at the same time
✓ Two people editing the same record can't silently overwrite each other
✓ All money stored as integer cents (no floating-point errors)

Questions about security? Contact us