Security Policy
Version 2.0
Last updated: February 2026
Introduction
This Security Policy defines the principles, responsibilities and measures adopted by Cleared Tech FZE and Cleared Aerospace group companies to protect information and information systems.
Security Objectives
Confidentiality
Information is accessible only to authorized persons
Integrity
Information is accurate, complete and unaltered
Availability
Information is accessible when needed
Traceability
Activities are recorded and reconstructable
Compliance Standards
Our security policy is aligned with the following standards:
- GDPR - Art. 32 - Security of processing
- ISO/IEC 27001 - Information Security Management System
- OWASP Top 10 - Most critical application vulnerabilities
- PCI-DSS - Payment data security (via Stripe)
- NIST - Cyber risk management framework
Information Classification
All information is classified into four levels:
| Level | Description | Examples |
|---|---|---|
| PUBLIC | Freely distributable information | Website, marketing |
| INTERNAL | Information for internal use | Internal procedures |
| CONFIDENTIAL | Sensitive information | Customer data, source code |
| SECRET | Critical information | Cryptographic keys, health data |
Access Control
Fundamental Principles
- Need-to-know: Access only to data needed for the role
- Least privilege: Minimum necessary permissions
- Separation of duties: No user can complete a critical process alone
- Defense in depth: Multiple layers of control
Authentication
- Password: minimum 12 characters, complexity required
- MFA mandatory for administrators and production access
- Session timeout: 15 min (admin), 30 min (users)
- Account lockout after 5 failed attempts
Authorization (RBAC)
Access is based on roles with granular permissions:
| Role | Access |
|---|---|
| SUPER_ADMIN | Full platform administration |
| ORG_OWNER | Full organization management |
| ORG_ADMIN | User and configuration management |
| INSTRUCTOR | Student, flight, briefing management |
| PILOT | Bookings, personal log |
Encryption
In Transit
- TLS 1.3 on all HTTPS connections
- HSTS enabled (1 year)
- Perfect Forward Secrecy (PFS)
At Rest
- AES-256-GCM for database and storage
- AWS KMS for key management
- Automatic key rotation (annual)
Passwords
- Hash with Argon2id
- Unique salt per password
- Never stored in plain text
Application Security
We follow a Secure Development Lifecycle (SDL) for software development.
OWASP Top 10 Mitigations
| Vulnerability | Mitigation |
|---|---|
| Broken Access Control | Server-side RBAC, audit log |
| Cryptographic Failures | TLS 1.3, AES-256, Argon2 |
| Injection | Parameterized queries, ORM |
| XSS | Output encoding, Content Security Policy |
Secure Development Lifecycle
- Security requirements in analysis phase
- Threat modeling in design phase
- Secure coding standards and code review
- Security testing (SAST, DAST, pentest)
- Hardening and security monitoring
Security Testing
- Static Application Security Testing (SonarQube)
- Dependency scanning (Dependabot, Snyk)
- Annual third-party penetration test
Vulnerability Management
Vulnerabilities are classified and remediated according to defined SLAs:
| Severity | CVSS | Remediation SLA |
|---|---|---|
| Critical | 9.0 - 10.0 | 24 hours |
| High | 7.0 - 8.9 | 7 days |
| Medium | 4.0 - 6.9 | 30 days |
| Low | 0.1 - 3.9 | 90 days |
Incident Management
We have a structured process for security incident response:
Incident Response Process
- Preparation: Documented plan, trained team, ready tools
- Identification: Detection through monitoring, log analysis, reports
- Containment: Isolation, blocking, quarantine
- Eradication: Root cause removal, patching, cleanup
- Recovery: Service restoration, integrity verification
- Lessons Learned: Post-incident analysis, improvements
Incident Classification
| Level | Description | Response |
|---|---|---|
| P1 - Critical | Severe production impact, data breach | Immediate, all teams |
| P2 - High | Significant impact, degradation | Within 1 hour |
| P3 - Medium | Limited impact, no data breach | Within 4 hours |
Business Continuity and Disaster Recovery
We ensure operational continuity with defined objectives:
RTO
4 hours
Recovery Time Objective - Maximum time for recovery
RPO
1 hour
Recovery Point Objective - Maximum acceptable data loss
Implemented Measures
- Multi-AZ deployment (high availability)
- Cross-region replica for disaster recovery
- Auto-scaling for resilience
- Daily encrypted backups
- Quarterly DR testing
Physical Security
Physical security is ensured at multiple levels:
Data Center (AWS)
- We exclusively use certified AWS data centers
- SOC 2 certification
- ISO 27001 certification
Corporate Devices
- Mandatory disk encryption (FileVault/BitLocker)
- Mobile Device Management for all devices
- Remote wipe enabled
Monitoring and Audit
We perform continuous system monitoring:
- Real-time monitoring: Automatic alerts on anomalies
- Centralized logging: All security events tracked
- Alerts and notifications: Automatic escalation for incidents
- Periodic audits: Quarterly control review
Vulnerability Reporting
If you discover a security vulnerability, we encourage you to report it responsibly:
Reporting email: security@cleared.aero
We practice responsible disclosure and appreciate good-faith reports.
Contact
For security questions:
Security Team: security@cleared.aero
Data Protection Officer: dpo@cleared.aero
Cleared Technologies S.r.l.