| Document | Data Security Policy |
| Document owner | Stratose Technologies FZ-LLC |
| Version | 1.0 |
| Effective date | 01 May 2026 |
| Jurisdiction | United Arab Emirates — Dubai |
| Governing law | UAE Federal Law and Dubai law |
| Classification | Confidential — Stratose Internal & Counterparty Use |
| Prepared by | Drafted by the Stratose Compliance, Privacy & Legal Department |
| Approver | Chief Executive Officer / General Counsel, Stratose Technologies |
Section 1
Introduction
This Data Security Policy (the "Policy") sets out the technical and organizational measures (TOMs) that Stratose Technologies FZ-LLC applies to protect the confidentiality, integrity, and availability of Personal Data and aviation operational data processed through the Stratose enterprise platform (the "Platform"). The Policy is aligned with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL"), the UAE Information Assurance Standards published by the UAE Cybersecurity Council, the National Electronic Security Authority Information Assurance Standards (NESA IAS), ISO/IEC 27001:2022, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Trust Services Criteria, ICAO Doc 8973 (aviation cybersecurity), IATA Aviation Cyber Security Position, and EASA Part-IS where applicable.
Section 2
Purpose
- Ensure the confidentiality, integrity, and availability of data processed through the Platform.
- Reduce risk to data subjects, customers, and Stratose to an acceptable level commensurate with criticality.
- Demonstrate accountability under the PDPL and customer-facing security commitments.
- Reconcile general information-security best practice with aviation-specific cybersecurity expectations.
Section 3
Scope
This Policy applies to all Stratose information assets, all personnel and Sub-Processors, and all phases of the data lifecycle (collection, processing, storage, transmission, archival, disposal).
Section 4
Governance
4.1 Roles
| Role | Responsibility |
|---|
| Chief Information Security Officer (CISO) | Owns the security programme. Reports to the CEO and the Audit and Risk Committee. |
| Data Protection Officer (DPO) | Privacy oversight. Coordinates with the CISO on PDPL alignment. |
| Aviation Safety & Security Lead | Aligns the security programme with GCAA, ICAO, EASA, and IATA cybersecurity expectations. |
| Engineering Security Champions | Embed security into product development; threat-model new features; review high-risk changes. |
| Personnel | Comply with this Policy and report security concerns or events to security@stratose.aero. |
4.2 Policy hierarchy
This Policy sits at the top of the Stratose security policy hierarchy and is supported by topic-specific standards (Access Control, Cryptography, Secure Software Development, Vulnerability Management, Vendor Risk, Cloud Configuration, Endpoint Security, Mobile EFB Security, Acceptable Use), procedures, and runbooks.
Section 5
Risk Management
- Annual enterprise risk assessment by the CISO with input from Engineering, Aviation Safety, Legal, and Customer Success.
- Threat modelling for every new module and material feature, using STRIDE and aviation-specific threat libraries.
- Data Protection Impact Assessment (DPIA) under PDPL Article 21 for high-risk processing.
- Continuous risk monitoring through security telemetry, attack-surface management, and customer/researcher disclosures.
Section 6
Asset Management
- All information assets (systems, applications, datasets, devices, identities) are inventoried and classified.
- Data classification: Public, Internal, Confidential, Restricted, Aviation-Safety-Critical. The classification drives encryption, access, retention, and disposal.
- Lifecycle controls: secure procurement; configuration baselines; periodic review; secure decommission per the Data Retention Policy.
Section 7
Access Control
7.1 Identity
- All Stratose personnel access is provisioned via single sign-on with phishing-resistant multi-factor authentication (FIDO2 / passkeys / hardware tokens).
- Customer end-user authentication supports SAML 2.0 and OpenID Connect; password authentication is disabled by default for production tenants.
- Joiners-Movers-Leavers process integrated with HR; access is recertified at least every 6 months and within 24 hours on role change.
7.2 Authorisation
- Role-Based Access Control (RBAC) enforced across the Platform; least-privilege defaults.
- Just-In-Time (JIT) elevation for production access via a documented change ticket; sessions are time-bound and recorded.
- Segregation of duties between development, test, and production environments; no Stratose engineer has standing read-write access to production customer data.
7.3 Customer access controls
- Tenant isolation via logical separation enforced at the data, application, and identity layers.
- Customer-managed admin roles for user provisioning, role management, and audit-log access.
- Optional customer-managed encryption keys (BYOK) for production data, integrated with AWS KMS or Azure Key Vault.
Section 8
Cryptography
| Use case | Standard |
|---|
| Data in transit (public networks) | TLS 1.2 minimum, TLS 1.3 preferred; ECDHE-based key exchange; HSTS enforced; mTLS for system-to-system. |
| Data in transit (private networks) | TLS 1.2+ with internal CA; service-mesh mTLS where deployed. |
| Data at rest (databases, object stores, archives) | AES-256-GCM with envelope encryption; KMS-managed keys with annual rotation. |
| Data at rest (endpoints) | Full-disk encryption (FileVault, BitLocker) on all corporate devices. |
| Backups | AES-256 encryption with separate key custody; immutable storage where required. |
| Secrets | Stored in HashiCorp Vault or cloud-native secrets managers; never in code or unprotected configuration. |
| Cryptographic agility | Algorithm choices reviewed annually against NIST PQC and CNSA 2.0 timelines. |
Section 9
Network and Infrastructure Security
- Defence in depth: edge WAF, DDoS protection (cloud-native), origin protection, segmented VPC, private endpoints for data services.
- Bastions and zero-trust access for administrative pathways; no inbound SSH from the public internet.
- Egress filtering for production VPCs; data-loss prevention monitors high-risk channels.
- Continuous monitoring via SIEM and EDR; anomaly detection backed by behavioural baselines.
- Vulnerability management: weekly authenticated scans; monthly attestation; CVE remediation within: 7 days (critical), 30 days (high), 90 days (medium).
- Independent penetration testing at least annually and after major architectural changes.
- Bug bounty / responsible disclosure programme published at /.well-known/security.txt.
Section 10
Secure Software Development
- Security training mandatory for all engineers (OWASP Top 10, mobile EFB security, supply-chain).
- Threat modelling at design time; security review gates at code-review and pre-release stages.
- Static analysis (SAST), software composition analysis (SCA), dynamic analysis (DAST), and infrastructure-as-code scanning integrated into CI/CD.
- Signed builds; SLSA Level 3 supply-chain controls for production artefacts; SBOMs maintained per release.
- Pre-production environments use synthetic or pseudonymized data; production data is not copied into non-production environments.
- Change management with peer review, staging deployment, blue/green or canary release, and post-release monitoring.
Section 11
Aviation-Specific Security Controls
- EFB integrity (Stratbook/EFB): signed binaries, runtime integrity attestation, jailbreak/root detection on iOS/Android, MDM integration with Stratose-approved baselines, offline-mode data confidentiality.
- Flight planning chain-of-custody: cryptographic signing of OFP outputs; tamper-evident audit trail from upload through dispatch release; immutable record of release authority.
- CAMO data integrity (CAR M / CAR-145 records): append-only logs for safety-significant changes; dual control on releases-to-service edits; full audit on AD/SB compliance updates.
- Crew rostering and currency (CrewOps / EFJL): controls preventing publication of rosters that breach FTL/duty regulations; dual approval for retroactive duty edits.
- Cargo/dangerous goods (Cargo & Baggage): strong access controls on dangerous-goods records; separation of acceptance, loading, and incident-investigation duties.
- Aviation network segregation: Stratose has no connectivity to Aircraft Information Domains as defined in ARINC 811. Where a Stratose component sits within an Airline Information Services Domain, additional segregation, device hardening, and one-way data diodes are used per ICAO Doc 8973 and EASA Part-IS where applicable.
Section 12
Endpoint and Mobile Security
- Corporate-managed laptops with EDR, full-disk encryption, screen locking, automatic patching, and DLP.
- BYOD prohibited for production access; corporate-issued, MDM-enrolled devices only.
- iOS/Android EFB devices: MDM enrolment, supervised mode, app allowlist, OS-version floor, certificate pinning, secure-boot attestation.
Section 13
Email, Collaboration, and Communications
- Authenticated email (SPF, DKIM, DMARC reject) with anti-phishing and impersonation protection.
- Sensitive messaging defaults to encrypted channels; classified communications use designated approved tools.
- Personnel awareness on social engineering, AI-enabled impersonation, and aviation-specific pretexting.
Section 14
Logging and Monitoring
- Centralised logging covering identity, application, infrastructure, network, and cloud-control-plane events.
- Log retention 12 months online plus archive per the Data Retention Policy.
- 24/7 monitoring by the Stratose Security Operations team and a contracted MDR provider.
- Detections aligned with MITRE ATT&CK and aviation-specific threat indicators.
Section 15
Vendor and Sub-Processor Security
- Pre-contract due diligence: security questionnaire, evidence (SOC 2, ISO 27001, penetration test reports), legal review.
- Tiered vendor risk model with annual reassessment; high-risk vendors are reassessed every 6 months.
- Contractual flow-down of security obligations, audit rights, breach notification, and PDPL processor terms.
- Sub-Processor list maintained at https://stratose.co/legal/sub-processors and notified to customers per the DPA.
Section 16
Personnel Security
- Background checks proportionate to role and jurisdiction (right-to-work, education, employment, criminal where lawful).
- Mandatory acceptance of the Acceptable Use, Confidentiality, and IP-assignment terms at onboarding.
- Annual security awareness training; role-specific training for engineering, support, finance, and aviation operations.
- Documented JML processes, with revocation of access and recovery of assets within 24 hours of termination.
Section 17
Physical Security
- Stratose offices use access-controlled doors, CCTV at entry points, visitor sign-in, and clear-desk requirements.
- Server hosting is fully cloud-based; no Stratose-operated data centres. Physical security of cloud regions is contractually owned by AWS, Microsoft Azure, and Oracle Cloud, with SOC 2 / ISO 27001 assurance available on request.
Section 18
Business Continuity and Disaster Recovery
| Tier | RTO | RPO | Application |
|---|
| Critical operational modules (CrewOps, EFJL, Stratbook/EFB, PSS/GDS day-of-departure) | 4 hours | 15 minutes | Active-passive cross-AZ; cross-region failover tested quarterly. |
| Standard operational modules (CAMO, Fuel, Cargo & Baggage) | 8 hours | 1 hour | Active-passive cross-AZ. |
| Commercial modules (post-departure analytics) | 24 hours | 4 hours | Single-region with cross-region backups. |
| Internal corporate systems | 48 hours | 24 hours | Cloud-native restore. |
Full DR exercise at least annually; functional failover test quarterly; tabletop exercises twice a year.
Section 19
Incident Response
Personal Data Breaches and security incidents follow the Stratose Data Breach Response Policy. Severity classification, notification timing, and aviation-regulator interfaces are defined in that policy and implemented by the Security Operations and Privacy teams.
Section 20
Compliance and Audit
- Stratose targets SOC 2 Type II and ISO/IEC 27001 certification. Status published in the Trust Centre.
- Independent audit at least annually; surveillance audits semi-annual.
- Customer audit rights under the MSA and DPA, exercisable annually and on incident.
Section 21
Exceptions
Exceptions to this Policy require written approval from the CISO and DPO, a documented compensating control, a defined expiry date, and tracking in the Exceptions Register. Exceptions affecting aviation-safety-critical data additionally require sign-off from the Aviation Safety & Security Lead.
Section 22
Enforcement
Breach of this Policy may result in disciplinary action up to and including termination of employment or engagement, contractual claims against Sub-Processors, and notification to regulators where the breach amounts to a Personal Data Breach within the meaning of the PDPL or a reportable cybersecurity event under aviation regulation.
Section 23
Policy Review
Reviewed at least annually and after every material incident or regulatory change.
Section 24
Contact
Report security concerns to security@stratose.co. Researchers: see /.well-known/security.txt for responsible-disclosure terms. Privacy queries to privacy@stratose.co.
Section 25
Document Control
| Version | Date | Author | Change Summary |
|---|
| 1.0 | 01 May 2026 | Stratose Compliance, Privacy & Legal | Initial UAE-jurisdictioned issue with aviation cybersecurity controls. |