AviationAlley stores training records, NSP evaluation results, instructor certifications, and trainee data — all of which can become evidence during an FAA audit. We treat that data the way a Part 142 director of training would: tightly scoped, role-gated, encrypted, and recoverable.
Every record carries a centerId foreign key to a single training-center workspace. Server-side queries are filtered by the active center on every request — there is no code path that returns data from a sibling tenant.
Workspace members are scoped by role: Owner, Admin, Manager, Technician, Instructor, Viewer. Manager-and-above is required for Reports and the manual compliance digest. Admin-and-above is required for Settings and member management.
Traffic to AviationAlley is served exclusively over TLS. Database storage on our managed Postgres provider is encrypted at rest with AES-256. Session secrets and API keys are stored as environment variables, never in source control.
Application and database run in U.S. regions on Vercel and a managed Postgres provider. No data leaves U.S. infrastructure as part of normal operation.
Authentication is session-based via better-auth. Sessions live in the sessions table with 7-day expiry, are revoked on sign-out, and are scoped to the issuing browser. Trainee portal links use unguessable per-trainee tokens and are never indexed.
Compliance items, NSP evaluations, work orders, and training records carry timestamps and user attribution. An in-product audit log records every mutation with actor, action, entity, and a structured metadata payload — sufficient for FAA audit prep without giving auditors direct database access.
If you believe you've found a vulnerability in AviationAlley, please email support@aviationalley.com. Include reproduction steps and an estimate of impact. We acknowledge reports within two business days and prioritize fixes by severity. Please don't run automated scans against production endpoints — coordinate with us first.
Join the waitlist