Information Security

Flightdocs is committed to delivering uncompromising data protection at all times, with the highest standards of security for your peace of mind.

DOWNLOAD BROCHURE
aicpa-soc-logo

Uncompromising Data Protection

Your data is protected by the highest standards of security.

app-monitoring

Application Monitoring

  • All user access to Flightdocs is continually and automatically logged.
  • Access logs are retained for at least a year and periodically audited.
  • Applications are monitored for security and data breaches.
  • System status page lists availability, maintenance, and security events.
  • Flightdocs maintains a formal incident response plan for major events.
app-security

Application Security

  • The web application implementation follows OWASP guidelines.
  • Requires strong passwords and MFA with optional single sign-on.
  • User passwords are stored salted and irreversibly hashed.
  • Administrators can easily review user sign-ins and account changes.
  • Vulnerability scans and penetration tests are performed regularly.
data-security-

System & Data Security

  • SOC Type II Certified, the highest of all SaaS certifications available.
  • US-based SSAE18 data centers with state-of-the-art security.
  • Deployed on Amazon Web Services with multiple geo-replicated backups.
  • 256-bit SSL encryption and protection against SQL and XSS exploits.
  • Continuous 24/7/365 system monitoring and 99.99% SLA uptime.
life-cycle

Secure Development Life Cycle

All software development is done through a documented SDLC process. The design of all new product functionality is reviewed by a security team that conducts code reviews for all code changes, from architecture to sensitive code.

Flightdocs actively supports and encourages continual secure code training for our fully US-based product development team. This training covers OWASP Top 10 security flaws, common attack vectors, and Flightdocs security controls.

secure-data

Secure Data Network Access

Data access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the production system is restricted to authorized personnel, and is carried out using VPN with Active Directory authentication.

All Flightdocs servers are located within the Flightdocs Virtual Private Cloud (VPC) and are fully protected by restricted security groups, allowing only the minimal required communication to and between the VPC servers.

Delivering Innovative, Powerful, and Secure Technology

Continuous investment in our products and infrastructure ensures you have the most advanced tools for managing your operation, while giving you peace of mind that your data is secure and accessible at all times.

Our commitment to the evolution of our products starts with our 100% US-based product development team. We work closely with operations of all shapes and sizes in order to build easy to use yet powerful solutions.

Agile Development

Developer API

100% US Based

Secure Data

99.99% uptime

SOC 2 Certified

The Flightdocs information security practices, policies, and procedures officially meet the SOC 2 trust principles criteria for security, availability, processing integrity, and confidentiality. SOC 2 is a third-party auditing program that ensures a service provider securely manages data to protect the interests of its clients.

For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. As a part of all SOC 2 Examinations, our external auditor confirms that Flightdocs has formally documented policies and procedures relating to our information security program.

Frequently Asked Questions

Get answers to our top questions around security, reliability, privacy, and compliance.

Does Flightdocs adhere to information security standards?

Flightdocs’ information security practices, policies, and procedures are officially approved to meet the SOC 2 trust principles criteria for security, availability, processing integrity, and confidentiality.

What access control or permissions features does Flightdocs provide?
  • Flightdocs provides audit logs when users access data and for administrator activities
  • Flightdocs provides roles-based access control for administrator activity and to sensitive data
Does Flightdocs actively monitor and report security breaches to users?

Yes. Flightdocs maintains a publicly available system-status web page which includes system availability details, scheduled maintenance, service incident history, and relevant security events.

Does Flightdocs provide multifactor authentication options for user access?

Yes. In addition, user passwords are salted, irreversibly hashed, and stored in Flightdocs’ database.

Will Flightdocs share information on your internal controls?

We have put a great deal of work into something we call our Flightdocs Control Framework (ACF), which combines the controls from external regulatory requirements and industry standards. We utilize this framework to implement controls internally and use external companies to evaluate and validate the implementation and operation of our controls. You can view the status of any of our certifications or reports on our Compliance page.

Where can I find Flightdocs’ security and technology policies?

Flightdocs can provide a standard documentation package for customers outlining our Information Security Program.

Who has access to our data?

For Enterprise Customers, we’ve outlined our approach in our Flightdocs Privacy Policy.

Is data stored on Flightdocs cloud products encrypted?

Flightdocs encrypts customer data in transit and at rest. All customer data stored within Flightdocs cloud products and services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.1+ with Perfect Forward Secrecy (PFS) to protect it from unauthorized disclosure or modification. Data drives on servers holding customer data and attachments in FDE use full disk, industry-standard AES-256 encryption at rest.

Is Transport Layer Security (TLS) always used for data encryption on Flightdocs cloud products?

Yes, all Flightdocs Cloud systems only use TLS, along with PFS, for communication. In line with Industry standards, we have removed support for SSL 3.

Does Flightdocs audit its cloud security?

We have an extensive security program that includes ongoing testing of our our hosted systems and products. We also undertake third party independent assessments of our Cloud products. Our primary testing approach is through our public bug bounty for all of our cloud products and our server products.

Can we undertake our own security testing?

In line with our Terms of Use for our cloud products, we currently do not allow customer-initiated testing. We are committed to being open and will publish statistics from our bug bounty program once it is public.

I found a vulnerability in one of your products, how do I report it?

If you discovered a vulnerability in one of our products, we appreciate if you let us know so we can get it fixed ASAP.

Can you complete my security questionnaire?

Flightdocs will absolutely complete questionnaires to ensure transparency and ensure the requester understands the total Flightdocs commitment to security and integrity. We have compiled responses to some of the most frequent standard questions and also proactively provide the standard Information Security Program.

What responsibilities does Flightdocs maintain during a security incident?

Here at Flightdocs, we try our best to ensure our customers don’t experience an outage or a security incident. However, we acknowledge that a security incident has the potential to happen. The standard Flightdocs Information Security Program documents the Flightdocs procedures during a security incident.

What is SP-initiated SSO?

This is when users enter their username in Enterprise and Enterprise redirects them to the IdP sign-in page.

What is IdP-initiated SSO?

This is when users go to their company portal and click the Enterprise app there to access it without additional signing in.

What do I need to setup SSO?

An IdP, such as Microsoft® Active Directory, Azure AD, or LDAP, that supports either SAML 2.0 or OIDC protocols.

Is there a process to enable new users to be automatically provisioned?

No. All user accounts must be created in Enterprise before a user can sign in with SSO.

Do you require artifact-based federation?

No. We support artifact, but do not require it. We also support http post and http redirect.

Do you require encryption in sign-in flows?

We support but do not require encryption. We utilize HTTPS URLs for all posts and redirects on both sides but it is not a requirement.

Do all Enterprise users have same access?

No. Permissions are 100% managed inside of Enterprise. The IdP will be responsible for identifying users and granting them access through perimeter security.

How are users mapped or linked between Enterprise and the IdP?

There is flexibility in how mapping is achieved. The ideal mapping configuration is established through a collaboration between Flightdocs and you. To establish an initial mapping, the first time a user signs in, we map from the IdP name identifier attribute to Enterpise username. The attribute we map to is configurable per customer.

Do you provide a non-production environment for SSO testing?

Yes. We provide a sandbox environment in which SSO can be tested and validated.

Do you support SSO in your native iOS and Android apps?

Yes. We support SP-initiated SSO in the mobile apps. The IdP-hosted web interface facilitates the SSO process.

Do you support SAML token encryption?

Yes. We support all modern and secure Microsoft.net encryption protocols.

Get Started with Flightdocs

CONTACT US