Security Overview

01 Security Philosophy

At TDY.ai, LLC d/b/a TODAY, security is foundational to everything we build. Flightplan handles sensitive workforce planning data — resource profiles, project schedules, capacity analytics, and organizational structures — and we treat the protection of this data as our highest priority.

Our security program is built on the principles of defense in depth, least privilege access, and continuous monitoring. We implement multiple layers of security controls across infrastructure, application, and operational domains to ensure your data remains protected.

SOC 2 Type II audit in progress

02 Infrastructure Security

2.1 Cloud Hosting

Flightplan is hosted on Microsoft Azure in United States datacenters. Azure maintains comprehensive compliance certifications including SOC 1/2/3, ISO 27001, ISO 27018, HIPAA, FedRAMP, and more.

2.2 Network Architecture

Our infrastructure uses a layered network design with strict isolation between tiers:

• Load Balancer Tier — Blue/Green load balancers handle SSL termination and route traffic. Active-active configuration ensures high availability.
• Application Tier — Application servers reside on a private network (10.1.0.0/16), accessible only through the load balancer tier. No direct internet access to application servers.
• Database Tier — Azure-managed MySQL with private endpoints, network access restricted to the application tier only.

2.3 DDoS Protection

Azure Load Balancer provides built-in DDoS protection at the network layer. NGINX rate limiting and connection throttling provide application-layer protection. Fail2ban provides automated IP banning for malicious traffic patterns across 9 active jails.

2.4 Firewall & Access Control

• Azure Network Security Groups (NSGs) restrict traffic to only necessary ports and protocols
• SSH access requires key-based authentication — password authentication is disabled
• Management access is restricted to authorized IP ranges
• Fail2ban intrusion prevention with automated blocking for brute-force and scanning attempts

03 Data Encryption

3.1 Encryption at Rest

All data stored in Flightplan is encrypted at rest using AES-256 encryption, managed through Azure storage encryption. Database backups are also encrypted using the same standard.

3.2 Encryption in Transit

All communications between your browser and Flightplan are encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections — HTTP requests are automatically redirected to HTTPS. Internal service-to-service communication within the private network uses encrypted channels.

3.3 Secrets Management

All sensitive credentials, API keys, and encryption keys are stored in Azure Key Vault with hardware security module (HSM) backing. Secrets are never stored in source code, configuration files, or environment variables on disk. Key rotation policies are enforced for all managed secrets.

AES-256 at rest TLS 1.2+ in transit Azure Key Vault

04 Authentication & Access Control

4.1 User Authentication

• JWT Tokens — Stateless, time-limited access tokens with automatic refresh mechanism
• Bcrypt Password Hashing — Industry-standard password hashing with adaptive cost factor
• Secure Cookie Storage — Authentication tokens stored as HTTP-only, Secure, SameSite cookies
• Session Management — Configurable session timeouts and automatic token expiration

4.2 Role-Based Access Control (RBAC)

Flightplan implements a comprehensive RBAC system with both platform-level and organization-level roles:

• Platform Roles — Super Admin, Org Admin, Client — controlling platform-wide permissions
• Organization Roles — Owner, Admin, Member — controlling organization-level access and operations

Each API endpoint enforces role-based permissions. Organization data isolation ensures users can only access resources within their own organization.

4.3 API Security

• All 200+ API endpoints require authentication (JWT bearer tokens or API keys)
• Rate limiting applied per-user and per-organization to prevent abuse
• Input validation via Pydantic schemas on all API requests
• CORS policy restricts cross-origin requests to authorized domains

05 Application Security

5.1 Secure Development Practices

• Input Validation — All user input is validated through Pydantic schemas before processing
• SQL Injection Prevention — SQLAlchemy ORM with parameterized queries — no raw SQL
• XSS Protection — SecureDOM + DOMPurify for all client-side DOM manipulation; Content Security Policy headers
• CSRF Protection — SameSite cookie policy and token-based CSRF mitigation
• Dependency Management — Regular security audits of third-party dependencies

5.2 Frontend Security

• DOMPurify sanitization for all dynamic content rendering
• SecureDOM wrapper prevents direct innerHTML usage with user input
• Strict Content Security Policy (CSP) headers
• Subresource Integrity (SRI) for CDN-loaded assets

5.3 Multi-Tenant Data Isolation

Flightplan is a multi-tenant platform with strict organization-level data isolation. Every database query is scoped to the authenticated user’s organization. Cross-organization data access is architecturally impossible through the application layer.

06 Monitoring & Incident Response

6.1 Security Information & Event Management (SIEM)

Flightplan employs Microsoft Sentinel for comprehensive security monitoring:

• Real-time log aggregation from all servers (load balancers, application, database)
• Custom analytics rules for anomaly detection and threat identification
• Automated alerting for suspicious activities including brute-force attempts, unauthorized access, and configuration changes
• Azure Monitor Agent (AMA) installed on all production servers for continuous telemetry

6.2 Uptime Monitoring

Dedicated monitoring infrastructure (Uptime Kuma) tracks the availability of all services with sub-minute polling intervals. Public status page available for real-time service health visibility.

6.3 Incident Response

Our incident response process follows established protocols:

1. Detection — Automated alerts from Sentinel, Uptime Kuma, and system health checks
2. Triage — Severity classification (Critical, High, Medium, Low) with escalation procedures
3. Containment — Immediate isolation of affected systems to prevent spread
4. Resolution — Root cause analysis and remediation
5. Notification — Affected customers notified within 24 hours for critical incidents, 72 hours for others
6. Post-Mortem — Documented review with preventive measures for all significant incidents

07 Business Continuity & Disaster Recovery

7.1 High Availability

• Blue/Green Load Balancers — Active-active configuration ensures no single point of failure at the edge
• Automated Failover — Azure Load Balancer health probes automatically route traffic away from unhealthy instances
• Zero-Downtime Deployments — Gunicorn graceful reload ensures no request interruption during updates

7.2 Data Backups

• Automated daily database backups with Azure-managed retention
• Point-in-time restore capability for the database
• Encrypted backup storage with geo-redundancy
• Regular backup restoration testing to verify integrity

7.3 Maintenance Windows

Planned maintenance is performed during our scheduled window: Sundays, 2:00 AM — 6:00 AM Mountain Time. Emergency maintenance outside this window is performed only when necessary to address critical security issues, with advance notification when possible.

08 Compliance & Certifications

8.1 Current Status

• SOC 2 Type II — Audit in progress
• GDPR — Compliant with EU data protection requirements
• CCPA/CPRA — Compliant with California privacy requirements

8.2 Infrastructure Certifications (via Microsoft Azure)

Our Azure hosting infrastructure maintains the following certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, CSA STAR, FedRAMP, HIPAA, PCI DSS, and more. Full details available on the Azure Compliance page.

8.3 Data Processing Agreements

Enterprise customers may request a Data Processing Agreement (DPA) that details our obligations as a data processor. Contact legal@tdy.ai to request a DPA.

09 Responsible Disclosure

We value the security research community and encourage responsible disclosure of potential vulnerabilities. If you discover a security issue in Flightplan, please report it to:

security@tdy.ai

When reporting, please include:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• The potential impact of the vulnerability
• Any suggestions for remediation

We commit to:

• Acknowledging receipt within 24 hours
• Providing an initial assessment within 5 business days
• Keeping you informed of remediation progress
• Not pursuing legal action against researchers who follow responsible disclosure practices

Please do not access, modify, or delete data belonging to other users during your research. Do not publicly disclose the vulnerability until we have had reasonable time to address it.

10 Contact

For security-related inquiries, reports, or requests:

• Security Team: security@tdy.ai
• Privacy Team: privacy@tdy.ai
• Legal: legal@tdy.ai

For additional details on our data handling practices, see our Privacy Policy. For uptime commitments, see our Service Level Agreement.