Aero Analytics - Aircraft Performance Suite

1. Security Overview

We take the security of your data seriously. This page outlines our security measures, API usage practices, and compliance with data protection regulations. Our service uses industry-standard security practices to ensure safe and responsible use of flight information.

2. Schiphol API Security

This service uses the official Schiphol Airport REST API to obtain real-time flight information from the Central Information System Schiphol (CISS).

API Authentication

Our connection to the Schiphol API uses secure authentication:

API credentials (APP_ID and APP_KEY) are securely stored in environment variables
All API requests use HTTPS encryption
Authentication headers are never exposed to end users
We use API version 4 with header-based authentication for enhanced security

API Compliance

Intended Use Compliance: In accordance with Schiphol API Terms, this service is used exclusively for helping actual passengers and people picking up passengers. We do not use the API for:

Competitive analysis
Claims regarding EU Regulation 261/2004
Commercial purposes unrelated to actual travel

3. Data Transmission Security

All data transmission is protected using modern security standards:

HTTPS Only: All connections use SSL/TLS encryption
HSTS Enabled: HTTP Strict Transport Security prevents downgrade attacks
Secure Headers: Security headers protect against common vulnerabilities
No Mixed Content: All resources loaded over secure connections

4. Data Storage Security

24-Hour Data Limit: In compliance with Schiphol API Terms, all flight data is cached for a maximum of 24 hours. No permanent flight history database is maintained.

Our data storage practices ensure minimal data retention:

Flight data is temporarily cached in memory for performance
Cache automatically expires after 5 minutes for real-time accuracy
No personal user data is stored on servers
Consent status stored only in browser localStorage
All cached data is automatically purged after 24 hours

5. Application Security Measures

Our application implements multiple layers of security:

Input Validation

All user inputs are validated and sanitized to prevent injection attacks

Rate Limiting

API requests are rate-limited to prevent abuse and ensure fair usage

Error Handling

Secure error handling prevents information leakage

Regular Updates

Dependencies are regularly updated to patch security vulnerabilities

6. API Usage and Rate Limits

To ensure responsible API usage and maintain service availability:

API calls are cached to minimize requests to Schiphol servers
Pagination is properly implemented (20 results per page)
Automatic retry logic with exponential backoff
Real-time data refresh every 10 minutes
Background cache warming to improve performance

API Request Headers

Accept: application/json
ResourceVersion: v4
app_id: [SECURED]
app_key: [SECURED]

7. User Privacy Protection

We implement strict privacy protection measures:

No user accounts or registration required
No personal travel data collected or stored
No tracking cookies or analytics
Consent data expires automatically after 24 hours
All data processing complies with GDPR requirements

8. Security Incident Response

In the event of a security incident:

Immediate investigation and containment
Assessment of impact and affected data
Notification to affected users within 72 hours (GDPR requirement)
Remediation and prevention measures
Documentation and lessons learned

9. Responsible Disclosure

We welcome security researchers to responsibly disclose vulnerabilities. If you discover a security issue:

Do not exploit the vulnerability
Provide detailed information about the issue
Allow reasonable time for patching
Do not disclose publicly until fixed

Please report security issues through our contact information.

10. Compliance and Certifications

Our security practices comply with:

General Data Protection Regulation (GDPR)
Dutch Data Protection Laws
Schiphol API Terms and Conditions
Industry best practices for web security

Security Contact

For security concerns, vulnerability reports, or questions about our security practices, please contact us through the information provided on our website. We take all security reports seriously and will respond promptly.