Security & Compliance

Protecting the data of our customers and their clients is fundamental to how we build and operate STACK.aero. Our security programme covers the full lifecycle of our platform — from how we develop software to how we respond to incidents — and is subject to ongoing review and improvement.

Infrastructure

The service is hosted on Salesforce and Microsoft Azure cloud infrastructure, both of which hold certifications under a number of global compliance programmes. Both platforms maintain their own published SLAs and availability commitments.

Encryption

All data in transit over public networks is secured using TLS. Confidential data at rest is encrypted using AES-256, including endpoint storage. Cryptographic standards are aligned with NIST SP 800-57.

Penetration testing

Annual penetration tests are conducted against our applications and production network by independent security firms, with additional testing following major changes. Vulnerability scans run at least quarterly on public-facing systems.

Disaster recovery

STACK.aero maintains a documented business continuity and disaster recovery plan. Recovery objectives are defined for critical services and tested at least annually. Backups run daily and are stored encrypted in geographically separate locations.

Access control

Access is governed by role-based access control (RBAC) based on least privilege. All privileged production access requires multi-factor authentication (MFA). Access rights are reviewed annually and removed within 24 hours of offboarding.

Incident response

A formal incident response programme is maintained with defined severity classifications, escalation paths, and breach notification obligations. Security events are documented, reviewed, and subject to root cause analysis for critical incidents.

Authentication & user security

Each user account requires a unique identifier. Credentials are never shared between users.

All privileged and production system access requires multi-factor authentication (MFA).

Passwords are stored using industry-standard one-way hashing with a unique cryptographic salt.

Account access is terminated within 24 business hours upon employee offboarding.

Data isolation & tenancy

Each customer operates within their own dedicated environment. Sharing of environments between separate organisations is expressly prohibited.

Customer data is not used in development or test environments without explicit approval and removal of sensitive information.

Customer data remains the property of the customer at all times. STACK.aero does not own any customer data.

Upon subscription termination, customer data is deleted within 120 days.

Secure development

Secure-by-design and privacy-by-design principles are applied across the development lifecycle, including least privilege, defence in depth, and separation of duties.

Production, staging, and development environments are strictly segregated.

All code changes are tested in a designated QA environment prior to production release.

Dependency scanning is performed during build processes to identify vulnerable components.

The service runs on Salesforce and Microsoft Azure infrastructure, both of which maintain comprehensive compliance certifications and published availability SLAs. For further information on the underlying infrastructure, visit trust.salesforce.com and azure.microsoft.com/en-us/support/legal.
Salesforce platform Microsoft Azure AES-256 encryption TLS in transit Annual pen tests Quarterly vuln scans RBAC & MFA Daily encrypted backups

For security enquiries or to request further information

dpo@stack.aero
Product
Trip Request LifecycleTrip ManagementSales & Customer ManagementReporting & dashboards
COMPANY
TechnologySystem IntegrationsAbout Us
RESOURCES
FAQBlogNewsNewsroomBlogSalesforce in AviationPrivacy Policy
© 2024 - Charter Intelligence Pty Ltd, trading as STACK.aero. All rights reserved.