Security at SkyRule
SkyRule is built to help drone users make better-informed decisions. Because the service may involve account data, location checks and aviation-related information, we take security seriously.
Current security approach
SkyRule currently uses a modern web stack including frontend hosting and deployment, backend database and authentication, transactional email, domain/DNS management and source-code control.
We use established providers in each category and review them as the product develops. If new services such as NOTAM APIs, map providers, satellite imagery, geocoding, analytics or payment providers are added, they are reviewed for security, privacy, cost and contractual risk before production use.
Location privacy
In the current map implementation:
- location is requested only when the user chooses to use it;
- the browser/device asks for permission;
- coordinates are used to update the map and alerts;
- coordinates are not sent to our backend database;
- coordinates are not stored in the database;
- location disappears when the browser is refreshed or closed.
This is deliberate. We do not want to collect precise location data unless it is necessary for a feature the user has chosen.
Data minimisation
We aim to collect only what SkyRule needs. For example:
- if we only need to know whether a user has an Operator ID, we do not need the actual ID number;
- if location can be checked in-session, we do not need to store it;
- if a feature can work without background tracking, we avoid background tracking.
Authentication
SkyRule uses account authentication to protect user access. Users should keep their email accounts secure because magic links or OTPs may be sent by email. Users should not share login links or OTPs.
Database and access control
We aim to apply:
- least-privilege access;
- separation between development and production environments;
- controlled admin access;
- database access controls;
- audit awareness;
- secure handling of environment variables and secrets;
- no secret API keys exposed in client-side code.
Encryption
SkyRule uses HTTPS/TLS for data transmitted between the user's browser and the service.
Where appropriate, data is protected by database/provider security controls. If SkyRule later stores actual Operator ID or Flyer ID numbers, we will apply stronger protection, such as column-level encryption or vault-style key management, so that sensitive identifiers are not casually visible in the backend.
Third-party providers
SkyRule depends on trusted providers for hosting, authentication, email, source control and other services. We review provider use as SkyRule develops.
If we add new services such as NOTAM APIs, map providers, satellite imagery, geocoding, analytics or payment providers, they should be reviewed for:
- data protection;
- security;
- cost;
- reliability;
- contractual terms;
- international transfers;
- ability to restrict API keys;
- service-level support;
- incident response.
Future security improvements
As SkyRule grows, we should add:
- formal access reviews;
- admin two-factor authentication enforcement;
- production/development separation;
- database backup review;
- logging and monitoring;
- vulnerability scanning;
- dependency scanning;
- rate limiting;
- security incident playbook;
- privacy impact assessments for location and NOTAM features;
- supplier register updates;
- disaster recovery planning;
- formal data retention schedule;
- penetration testing before major public launch.
Reporting security issues
If you believe you have found a security issue in SkyRule, contact us at contact@skyrule.app. Please do not publicly disclose security issues until we have had a reasonable opportunity to investigate.