§§ trust · security

Security at AIRRNK.

“Trust is what gets typed into the browser bar. We treat every byte of customer data as if our own business depended on it — because it does.”
The AIRRNK team

99.97%Uptime · trailing 90 days

< 4 hrRecovery Time Objective

< 1 hrRecovery Point Objective

AIRRNK operates on a small number of hardened primitives: managed cloud infrastructure with strong defaults, single sign-on with no passwords to leak, end-to-end encryption, and an audit trail that actually gets read. The rest of this page is the specifics.

Infrastructure.

Edge + CDN: Cloudflare Enterprise. DDoS protection, WAF, and bot mitigation at the perimeter. Strict TLS 1.3, HSTS preload, and certificate pinning for sensitive endpoints.
Compute + database: Supabase (SOC 2 Type 2 attested) running Postgres in the EU Frankfurt region. No customer data leaves the region. Isolated per-workspace schemas; row-level security policies enforced at the database layer.
Object storage: Encrypted S3-compatible buckets with signed, short-lived URLs. Public read disabled by default.
Secrets: Managed in a dedicated vault, rotated quarterly, and never committed to source control. CI/CD uses short-lived OIDC tokens — no long-lived keys on runners.

Data at rest.

Database: AES-256 encryption managed by Supabase with keys in AWS KMS. Transparent to applications.
Backups: Encrypted daily snapshots retained for 30 days, stored in a separate region. Point-in-time recovery to any moment in the last 7 days.
Workstations: All engineer laptops enforce full-disk encryption (FileVault or LUKS), screen lock, and MDM-managed patch levels.

Data in transit.

Public endpoints: TLS 1.3 everywhere. Weak ciphers and SSLv3/TLS 1.0/1.1 disabled. A+ rating on Qualys SSL Labs.
Internal traffic: mTLS between services. No unencrypted internal hops.
Email: SPF, DKIM, and DMARC enforced on every automated sender. TLS-only outbound SMTP.

Authentication.

Magic-link sign-in: Passwordless by default. Links expire after 10 minutes and are single-use. No password to phish, leak, or reuse.
Two-factor authentication: TOTP and WebAuthn/passkeys coming Q2 2026. Required for all internal staff today.
Session management: 30-day rolling sessions, HTTP-only cookies, CSRF tokens on every state-changing request. Sign out everywhere from Account → Sessions.

Access control.

Workspace roles: Three levels — Owner, Editor, Viewer. Principle of least privilege. Owners can invite, promote, or remove; Editors can configure scans; Viewers are read-only.
Audit logs: Every admin action, invite, billing change, and data export is logged with actor, IP, user-agent, and timestamp. Logs retained for 365 days; exportable by Owners.
Staff access: Engineering staff do not read customer scan data in the course of normal work. Elevated access requires explicit customer consent or a written legal obligation, and is itself logged.

Payments.

Processor: PayPal, PCI-DSS Level 1. We never see card numbers, CVVs, or PayPal login credentials — the checkout flow is hosted entirely on PayPal.
What we store: Only a PayPal payer ID, the last four digits (for receipts), plan, and billing events. Full card PANs never touch our systems.

Subprocessors.

Supabase: Database, auth, storage · Frankfurt, EU · SOC 2 Type 2
Cloudflare: CDN, WAF, DDoS, email routing · Global · ISO 27001, SOC 2
PayPal: Payment processing · PCI-DSS Level 1
Resend: Transactional email (sign-in, receipts)
PostHog: Product analytics · EU region · SOC 2 Type 2
Anthropic / OpenAI: LLM providers for report generation. Data sent = public content you asked us to analyze.

Compliance roadmap.

GDPR & CCPA: Compliant today. DPA available on request for enterprise customers.
SOC 2 Type 1: Observation period opened Q1 2026. Target attestation Q3 2026.
SOC 2 Type 2: Target attestation Q2 2027 following 12 months of Type 1 controls.
ISO 27001: Evaluation phase. No committed date yet.

Responsible disclosure.

Where to report: Submit through /contact and pick the Security topic. Please include a proof-of-concept and, if possible, a proposed fix.
PGP: Fingerprint B3C8 4E20 A1DD 9F5C 7B11 — full key published at /.well-known/pgp-key.asc.
Safe harbor: If you act in good faith, avoid privacy violations, and don’t degrade the service, we won’t pursue legal action for research that stays within this policy.
Scope: *.airank.tech and the public API. Third-party sub-processors are out of scope — report to them directly.
Acknowledgment: We respond within 48 hours and credit researchers in our Hall of Thanks unless you prefer to remain anonymous.

Incident response.

Detection: Monitored 24/7 by automated alerts on error rates, anomalous traffic, and data-egress spikes. On-call engineer paged within 5 minutes.
Triage: Incidents are classified P0–P3. P0 (customer data exposure) triggers immediate containment and a written log.
Customer notification: If customer data is materially affected, we notify affected customers by email within 24 hours of confirmation, with facts known at that time, and follow up with a post-mortem within 7 days.
Public disclosure: Confirmed incidents affecting the platform are publicly disclosed within 24 hours of containment.

§§ direct line

Questions or reports.

Security program questions, vendor risk assessments, or a responsible disclosure — we read every submission.

/contact · Security /contact · General Privacy policy →

Security posture v2026.04Last updated April 17, 2026