What’s New Uplift Move Deice Windsock Start Free
Home / Security
Trust & Safety

Security at Aeroframe

We build for operational reliability on the ramp. That starts with strong security, privacy, and uptime practices across our apps, APIs, and infrastructure.

View System Status Report a vulnerability Download whitepaper
Encryption in transit & at rest RBAC & SSO-ready Backups & DR Least privilege

Guiding principles

Defense in depth

Multiple controls across code, infra, and process—so a single failure doesn’t become an incident.

Least privilege

Access is granted narrowly and time-boxed. All changes are audited.

Secure by default

TLS everywhere, strong defaults, and safe SDKs & libraries—no optional hardening steps.

Data protection

Encryption

  • TLS 1.2+ for data in transit; HSTS enabled.
  • AES-256 (or provider equivalent) for data at rest.
  • Secrets stored using KMS/HSM with strict key rotation.

Backups & retention

  • Daily encrypted backups with 30-day retention by default.
  • Point-in-time recovery for primary databases.
  • Customer-requested export/erase supported.

Access control

  • Role-based access control (RBAC) across web & mobile.
  • SSO/SAML & SCIM available on Enterprise.
  • Admin audit trails for user & config changes.

Privacy

  • Data processed only to provide the service; no resale.
  • US-hosted by default; regional options for Enterprise.
  • DPA available upon request.

Infrastructure

Cloud platform

Deployed on major cloud providers with physical security, network isolation, and managed services.

Network & runtime

  • Private VPCs, security groups, and WAF.
  • Containerized services; image signing & scanning.
  • Zero-trust access for admin plane; MFA required.

Resilience

  • Multi-AZ architecture; automated failover where applicable.
  • Health checks, autoscaling, and blue-green deploys.
  • RTO/RPO objectives covered in Enterprise SLA.

Application security

Secure SDLC

  • Code review required for all changes.
  • Static & dependency scanning in CI; pinned versions.
  • Secrets never committed; environment-scoped keys.

Runtime protections

  • Rate limiting, input validation, and prepared statements.
  • CSRF/Clickjacking mitigations; strict content security.
  • Comprehensive logging with tamper-resistant storage.

Compliance & attestations

SOC 2 Type II – In progress GDPR-aligned practices US hosting DPA available

Looking for a specific control or questionnaire (CAIQ, SIG, custom)? Contact our security team.

Incident response

  1. Detect & triage. Automated alerts and 24×7 on-call rotation.
  2. Contain & eradicate. Access revocation, key rotation, and hotfixes as needed.
  3. Notify. We’ll inform affected customers without undue delay and share recommended actions.
  4. Post-mortem. Written report with root cause and preventive measures.
Check Status Reach incident desk

Vulnerability disclosure

We welcome reports from researchers and customers. Please email security@aerofra.me with steps to reproduce, impact, and any proof-of-concept. Don’t access customer data, disrupt service, or perform social engineering.

  • Acknowledgement: we reply within 3–5 business days.
  • Safe harbor: good-faith research won’t be used against you legally.
  • Credit: with permission, we’ll recognize material findings.
Report a vulnerability Read whitepaper

Security FAQs

Do you support SSO?
Yes—SAML/SSO and SCIM provisioning are available on Enterprise plans.
Where is data hosted?
US by default. Regional hosting can be arranged for Enterprise deployments.
Can we execute a DPA?
Absolutely. Email security@aerofra.me and we’ll share our DPA.
Do you offer an SLA?
Enterprise includes uptime, response, and remediation SLAs aligned to ops needs.