Security
Security

How ShuttleOps protects your data

Security is built into every layer of ShuttleOps — from the database engine to the API to the browser. Below is a transparent overview of the controls we have in place to keep your operational data safe.

TLS 1.2+ encryption in transit
AES-256 encryption at rest
Row-level security on every table
bcrypt password hashing
Multi-tenant data isolation

Encryption in Transit

  • All traffic between your browser and ShuttleOps is encrypted using TLS 1.2 or higher.
  • HTTP Strict Transport Security (HSTS) is enforced — plain-text connections are rejected.
  • API calls to third-party services (AviationStack, Supabase) are made exclusively over HTTPS.

Encryption at Rest

  • All database data is encrypted at rest using AES-256, managed by Supabase on AWS.
  • Backups are encrypted with the same standard and stored in isolated, geo-redundant locations.
  • Uploaded files and attachments are stored in encrypted object storage.

Row-Level Security (RLS)

  • Every database table has Row-Level Security enabled — no exceptions.
  • Queries are automatically filtered so each organisation only sees its own data, enforced at the database engine level.
  • Even a misconfigured API endpoint cannot return another tenant's data; RLS is the final defence.
  • Policies are scoped to authenticated identities using Supabase Auth JWT tokens.

Authentication

  • Passwords are hashed using bcrypt via Supabase Auth — we never store plaintext passwords.
  • JWT access tokens expire after 1 hour; refresh tokens are rotated on each use.
  • Driver accounts require explicit approval by an administrator before access is granted.
  • Driver invitations use single-use, time-limited tokens sent via email.
  • Role-based access control (RBAC) restricts features by role: coordinator, driver, platform admin.

Access Controls

  • Platform admin privileges are controlled at the database level, not via client-side logic.
  • The is_platform_admin function is housed in a private database schema not exposed via the REST API.
  • All database functions that bypass RLS run as SECURITY DEFINER with a fixed, locked search path.
  • The Supabase service-role key is never exposed to the browser or client-side code.
  • Environment variables and API keys are stored as server-side secrets, not in source code.

Infrastructure and Operations

  • ShuttleOps runs on Supabase (hosted on AWS), which maintains SOC 2 Type II compliance.
  • Database backups are taken daily with point-in-time recovery available.
  • Dependency updates and security patches are applied on a regular review cycle.
  • All API keys and secrets are rotated on a scheduled basis and whenever a team member departs.
  • Production and development environments are strictly separated.

Responsible Disclosure

We take security reports seriously. If you believe you have found a security vulnerability in ShuttleOps, please disclose it responsibly by emailing us directly. Do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate it (typically 90 days).

Please include: a description of the vulnerability, steps to reproduce, the potential impact, and any suggested fix if you have one. We will acknowledge your report within 2 business days.

Report a Vulnerability

Sub-Processors

ShuttleOps uses the following trusted third-party service providers to operate the platform. All sub-processors are contractually bound to handle data securely.

ProviderPurposeLocation
Supabase (AWS)Database, authentication, file storage, and edge functionsUS East (AWS)
AviationStackReal-time flight tracking data for crew trip managementEU / Global

Security questions?

Contact us for any security-related enquiries or concerns.

Contact Security Team

© 2026 ShuttleOps. All rights reserved.