Security Documentation for Operators

PAXP Security Overview for Aviation Operators

Security evidence for operator PART-IS compliance

Document Version: 1.0 | Effective Date: November 7, 2025

PAXP is a secure SaaS platform providing real-time flight operations management for private aviation. This document outlines security controls implemented to support operator compliance with EASA PART-IS and GDPR requirements.

Key Security Highlights

AES-256-GCM encryption (at rest & in transit)

100% GDPR compliant

Zero PII storage architecture

Multi-tenant isolation (database-enforced)

Zero known vulnerabilities

EU data residency (Frankfurt, Germany)

SOC 2 / ISO 27001 certified infrastructure

24-hour breach notification

1. Data Protection

1.1 Encryption Standards

Data at Rest

Algorithm: AES-256 (AWS KMS managed keys)
Provider: Supabase PostgreSQL (ISO 27001, SOC 2)
Location: EU-West-1 (Frankfurt, Germany)
Key Management: HSM-backed (FIPS 140-2 Level 3)

Data in Transit

Protocol: TLS 1.3
Certificate: Let's Encrypt (auto-renewed)
HSTS: Enabled (max-age=31536000)
Cipher Suites: Strong only (no RC4, no SSL3)

Application-Level Encryption

Algorithm: AES-256-GCM (authenticated encryption)
Use: Leon API credentials, OAuth tokens
IV: Random 16 bytes per encryption
Auth Tag: 128 bits (prevents tampering)

1.2 Data Minimization & Privacy by Design

PAXP stores NO passenger personal data
All passenger data is fetched in real-time from your Leon system, displayed immediately, then discarded.

Not Stored by PAXP

No passenger names
No passport numbers
No dates of birth
No passport images
No email/phone (passenger)

What PAXP Stores

Operator account details
User credentials (hashed)
Flight operational data
Crew duty records (30 days)
Audit logs (no PII)

1.3 Data Location & Residency

Data Type	Location	Provider	Certification
Database (primary)	EU (Frankfurt)	Supabase	ISO 27001, SOC 2
Application hosting	Global CDN (EU priority)	Vercel	SOC 2 Type II
AI processing	EU (Switzerland)	Microsoft Azure	ISO 27001

2. Access Control & Authentication

2.1 Authentication Mechanisms

Multi-Factor Authentication

Required for all user accounts
Email-based OTP (6-digit code)
5-minute code expiration
Rate limited (5 attempts per 15 min)

Session Management

JWT tokens (HTTP-only cookies)
Session expiration: 7 days
Secure flag enabled (HTTPS only)
Auto-logout after 24h inactivity

2.2 Multi-Tenant Isolation

Database-Enforced Isolation: Row-Level Security (RLS) policies ensure each operator can ONLY access their own data. Cross-tenant access is impossible at the database level and cannot be bypassed by the application layer.

-- Example RLS policy
CREATE POLICY "operators_isolation" ON flights
  FOR ALL USING (operator_id = auth.operator_id());

3. API & Application Security

Rate Limiting

40/min (passport uploads)
100/min (general API)
20/15min (login attempts)

Input Validation

All inputs sanitized
Type checking (TypeScript)
SQL injection prevention

Security Headers

X-Frame-Options: DENY
X-Content-Type-Options
HSTS enabled

Current Security Status

Zero known vulnerabilities (npm audit: 0 vulnerabilities)
OWASP Top 10 (2021) mitigations implemented
Weekly automated security scans
Security patches applied within 48 hours (critical)

4. Incident Response & Business Continuity

4.1 Security Incident Notification

Notification Timeline

Within 24h:Operators notified of security incidents

Within 72h:Detailed incident report provided

Support:Assistance with CAA/EASA notifications (if required)

4.2 Business Continuity

Recovery Objectives

RTO: 4 hours (recovery time)
RPO: 1 hour (max data loss)
Uptime: 99.9% target

Backup & Recovery

Automated daily backups
30-day point-in-time recovery
Quarterly restoration tests

5. Supporting Operator PART-IS Compliance

PART-IS Requirement	PAXP Security Control
Access Control	MFA, RBAC, RLS database isolation
Cryptography	AES-256-GCM, TLS 1.3, secure key management
Incident Management	24-hour operator notification, breach support
Business Continuity	RTO: 4h, RPO: 1h, tested procedures
Supplier Relationships	SOC 2/ISO 27001 certified sub-processors
Compliance	100% GDPR, audit rights, documentation

Note: PAXP provides technical security controls. Operators remain responsible for PART-IS compliance and CAA/EASA coordination.

6. Contact Information

Security Inquiries

Email: security@zeaai.co

Response Time: 24 hours

Incident Reporting

Emergency Email: security@zeaai.co

Monitoring: 24/7

Compliance & Audit Support

Email: compliance@zeaai.co

Response Time: 5 business days

General Support

Email: support@zeaai.co

Website: www.zeaai.co

This document may be shared with current and prospective operators, auditors (internal, CAA, EASA), compliance teams, and third-party assessors.

For Auditor Use: This document demonstrates that PAXP implements technical security controls sufficient for operator PART-IS compliance.

Document Control: Version 1.0 | Date: November 7, 2025 | Classification: Public - For Operator Use

Next Review: February 7, 2026 (quarterly)