Security
How Aviator Avenue protects your data and API infrastructure.
Authentication
API keys are hashed with SHA-256 and never stored in plaintext. The raw key is transmitted exactly once at creation and cannot be retrieved again.
Transport
All API traffic is encrypted over HTTPS with TLS 1.2+. Plain HTTP requests are rejected.
Data at rest
Database encrypted via Supabase (AES-256). Backups encrypted. No PII beyond email address in account records.
Rate limiting
Per-key quota enforcement on authenticated endpoints. IP-based rate limiting (100 req/hr) on public endpoints. Route validation is billed proportionally to points checked.
Logging
All API requests logged with timestamp and key ID. Logs retained 90 days. No coordinates are linked to personally identifiable information.
Infrastructure
Vercel (EU edge nodes), Supabase (EU Frankfurt), Stripe (PCI-DSS Level 1 compliant). No self-hosted servers.
Incident response
Security issues: [email protected]. We respond within 48 hours and notify affected users of any data breach.
Compliance posture
We're a young product building for trust. SOC 2 certification is on our roadmap as we grow into enterprise customers. We're happy to answer specific security questionnaires — reach out to [email protected].