AirOS Security & Privacy Policy
This Security & Privacy Policy explains how AirOS protects information, how we process data, and the controls we apply to keep your operational, airworthiness, and safety data secure. This policy is designed for safety-critical aviation environments and supports regulated operations where confidentiality, integrity, availability, and auditability are essential.
1. Scope
This policy applies to AirOS products, services, applications, APIs, integrations, and support channels. It covers customer data, user accounts, system logs, and any information processed while delivering AirOS services.
2. Our Security and Privacy Principles
AirOS is built around the following principles:
• Least Privilege – access is limited to what is required to perform a role.
• Defense in Depth – multiple layers of technical and procedural controls reduce risk.
• Privacy by Design – we minimize data collection and protect data throughout its lifecycle.
• Customer Control – customers own their data and define who can access it.
• Operational Resilience – systems are designed to remain available and recover quickly.
• Auditability – security-relevant actions are logged to support compliance and investigation.
3. Data We Process
AirOS may process the following categories of data depending on the modules you use:
• Account and Identity Data (e.g., names, email addresses, roles, authentication details).
• Operational Data (e.g., aircraft records, schedules, maintenance events, work orders, parts traceability).
• Safety and Compliance Data (e.g., SMS reports, risk assessments, investigations, controlled manuals).
• Documents and Attachments (e.g., PDFs, images, forms, evidence files, technical records).
• Technical and Usage Data (e.g., device type, IP address, browser information, system logs, performance metrics).
We collect only what is necessary to provide the service, maintain security, meet regulatory expectations, and improve product reliability.
4. Customer Ownership and Use of Data
You retain ownership of your data. AirOS processes customer data only to provide the services you request, operate the platform, prevent abuse, and support troubleshooting and customer support.
We do not sell customer data. We do not use customer data for advertising profiles. Where AI features are enabled, processing is performed to deliver the requested capability (e.g., summarisation, drafting, classification), and customer administrators can control availability through permissions.
5. Lawful Basis and GDPR Alignment
Where GDPR applies, AirOS processes personal data under appropriate lawful bases (such as contract performance, legitimate interests for security and service reliability, and legal obligations where applicable). Customers typically act as Data Controller for operational content, and AirOS acts as Data Processor when hosting and processing customer data on their behalf.
If required, we support data processing agreements (DPAs) and appropriate contractual safeguards for international transfers.
6. Data Minimisation, Retention, and Deletion
We apply data minimisation by design and store data only as long as necessary for the purposes described in this policy, including security, compliance, and contractual obligations.
Customers can request deletion of data in accordance with contractual terms, operational requirements, and any applicable legal retention obligations. Where deletion is requested, we action it within a reasonable timeframe and in a manner consistent with safety and audit requirements.
7. Access Control and Authentication
AirOS protects access to systems and customer environments through measures such as:
• Role-based access control (RBAC) aligned to operational responsibilities.
• Principle of least privilege for both users and internal administrators.
• Secure credential handling and modern authentication methods.
• Administrative controls to manage users, roles, and permissions.
Customers are responsible for securing user devices, managing user access, and promptly removing access for leavers or role changes.
8. Encryption and Key Protection
AirOS uses encryption to protect data in transit and at rest wherever practical and appropriate for the service. We also apply secure key management practices designed to prevent unauthorized decryption or access.
9. Infrastructure and Network Security
We use layered infrastructure controls to reduce risk, including network segmentation, hardened environments, secure configuration baselines, and monitoring for suspicious activity. Security controls are reviewed and improved as threats evolve.
10. Application Security
AirOS applies secure software development practices including code review, dependency management, and testing aimed at preventing common vulnerabilities (e.g., injection, broken access control, and insecure direct object references).
We also implement protections against misuse such as rate limiting, abuse detection, and safeguards around sensitive actions.
11. Logging, Monitoring, and Audit Trails
AirOS records security-relevant events to support platform reliability, investigation, and compliance needs. Logged events may include authentication activity, permission changes, administrative actions, and relevant system events.
Audit trails are designed to support regulated environments where traceability and accountability are required, while still applying privacy controls and minimising unnecessary exposure of personal data.
12. Incident Response and Breach Management
AirOS maintains an incident response process to detect, investigate, contain, and remediate security events. If we confirm a security incident involving customer data, we will notify affected customers in accordance with contractual terms and applicable legal obligations, providing information reasonably required to support your response.
13. Backups, Business Continuity, and Resilience
We implement measures to support service availability and recoverability, including backups and disaster recovery considerations appropriate to the service tier and deployment model (cloud or in-house deployment where applicable).
Customers remain responsible for their operational continuity planning and for validating that AirOS configuration meets their internal requirements.
14. AI Features and Safety-Critical Use
Where AI-assisted features are available, AirOS designs them for decision support, not autonomous authority. Customers should implement appropriate review and approval controls for safety-critical outputs (e.g., compliance interpretations, maintenance decisions, safety investigations).
AI-generated or AI-assisted content may be labelled and logged to support traceability. Human review remains essential for regulated actions.
15. Third-Party Subprocessors and Integrations
AirOS may rely on vetted third-party infrastructure providers (subprocessors) to deliver hosting, monitoring, communications, or other core service capabilities. We assess subprocessors for security and privacy posture and use contractual safeguards where appropriate.
Integrations you enable (e.g., Slack, Zapier, other tools) are optional and are governed by the third party's own terms and privacy practices. You control whether to connect these services and what data is shared through them.
16. User Responsibilities
You agree to:
• Use AirOS only for lawful and authorized purposes.
• Maintain strong password hygiene and protect authentication factors.
• Ensure users are assigned appropriate roles and permissions.
• Promptly notify AirOS if you suspect unauthorized access or a security issue.
• Avoid uploading content that is unlawful, malicious, or violates the rights of others.
17. Your Rights and Requests
Where applicable, individuals may have rights relating to their personal data (e.g., access, rectification, deletion, restriction, and objection). Because AirOS customers typically control operational datasets, requests may need to be handled via your organization (the Data Controller). AirOS will provide reasonable assistance as required under applicable data protection laws and contractual terms.
18. Changes to This Policy
We may update this policy to reflect new features, security improvements, legal requirements, or operational changes. When we do, we will update the "Last Updated" date above and provide notice where appropriate. Continued use of the service after changes take effect constitutes acceptance of the updated policy.
19. Contact
For security or privacy questions, to report a vulnerability, or to raise a data request, contact:
Email: [email protected]
Company: AirOS Operations Ltd
Address: Rose Chapel, Main Road, Gloucestershire, GL139JN
