Security

StratusLog is the system of record for your school’s schedule, flight history, student progress, and billing. We design and operate the product with that responsibility front of mind.

• In transit. All connections to the Service use TLS 1.2 or higher. HSTS is enforced.
• At rest. Sensitive credentials — Stripe secret keys, OAuth refresh tokens for Google and Calendly — are encrypted with AES-256-GCM before being persisted.
• Passwords. User passwords are stored as hashes using a modern, salted, slow hashing algorithm. We never see your plaintext password.

• Role-based permissions. Owners, chief instructors, instructors, and front desk each see only what their role permits.
• Row-level isolation. Multi-school operators have data isolated per school at the database level — never cross-readable.
• Least privilege. Internal access to production systems is limited to a small set of operators, audited, and re-reviewed periodically.
• Multi-factor authentication. Available for all accounts; required for administrator and operator roles.

We use Stripe Connect for invoicing and payment processing. Card details are entered directly into Stripe-hosted forms; full card numbers never touch our servers. We retain only the Stripe customer and invoice identifiers needed to display payment status and reconcile balances.

• Production hosted on reputable U.S. cloud infrastructure with physical security controls, redundancy, and audited compliance.
• Automated database backups with point-in-time recovery.
• Application and infrastructure logs centralized and retained for security review.
• Continuous dependency monitoring; security patches applied promptly.

• Customer Data is processed only to operate, support, and improve the Service.
• We do not sell personal data and do not use student or flight-record data to train third-party machine-learning models.
• You can export your school's data at any time from the app.
• On account deletion, personal data is removed within 30 days, subject to legal-retention obligations.

We maintain an internal incident response process covering detection, containment, investigation, and customer notification. If we determine that a security incident materially affected the confidentiality, integrity, or availability of your Customer Data, we will notify affected school owners without undue delay and, in any case, within the time required by applicable law.

We welcome reports from security researchers and operators. If you believe you have found a vulnerability, please email support@getstratuslog.com with the subject line “Security report.” Please provide enough detail for us to reproduce, and give us a reasonable window to remediate before any public disclosure. We will acknowledge your report within two business days.

We ask that you do not exploit a vulnerability beyond what is necessary to demonstrate it, do not access or modify data belonging to others, and do not disrupt the Service.

StratusLog is operated in alignment with applicable U.S. privacy laws and prepares Customer Data handling with EU and UK GDPR-equivalent principles in mind. We are not currently HIPAA-regulated and the Service should not be used to store protected health information beyond the limited medical-expiry date field common to flight-training records.

For app-store distribution, our data-handling disclosures are mirrored in the Apple App Privacy and Google Data safety sections of the respective listings.

Security inquiries: support@getstratuslog.com.