DroneEye — The Sky Where Every Flight Becomes a Mission
Security

Security at DroneEye

We take the security of your data, your documents, and your account seriously. Here's how we protect you.

Last reviewed: April 2026

Security practices

Authentication

  • JWT-based access tokens with short expiry
  • Refresh tokens stored in HttpOnly cookies
  • Token rotation on every refresh
  • Automatic logout on token expiry or invalid signature
  • Role-based access control (CLIENT, PILOT, ADMIN)

Data encryption

  • All data in transit is encrypted via TLS 1.2+
  • Passwords are hashed using bcrypt before storage
  • Session cookies are flagged Secure and HttpOnly
  • Sensitive document files are stored with access control checks

Infrastructure

  • Backend services run in isolated containers
  • Database is not directly accessible from the public internet
  • File uploads are validated for type and size before storage
  • Rate limiting applied to authentication endpoints

Privacy by design

  • Only the minimum required data is collected per operation
  • Profile data is visible only to authenticated, authorised users
  • Admin access to user data is logged and auditable
  • Soft-delete is used — data is retained briefly before permanent removal

Document security

  • Pilot qualification documents are stored server-side, not exposed publicly
  • Document URLs are scoped and validated server-side before serving
  • Admins review all submitted documents — no automatic trust

Application security

  • All API inputs are validated with Bean Validation (Jakarta)
  • SQL injection is prevented via JPA parameterised queries
  • CORS is configured to restrict cross-origin access
  • CSRF protection via SameSite cookie policy

Responsible disclosure

If you discover a security vulnerability in DroneEye, we ask that you report it to us privately before disclosing it publicly. We are committed to working with security researchers in good faith.

Please do not attempt to access other users' data, run automated scanners against production systems, or perform any action that could impact platform availability.

Our commitments to researchers

  • We review all security reports within 2 business days
  • We will not take legal action against good-faith researchers
  • We will acknowledge confirmed issues and describe the fix once resolved
  • We ask that you do not publicly disclose issues until we have patched them

Report a vulnerability

Send a detailed description of the issue, including steps to reproduce it, to our security team via the contact form. Please include "Security Report" in the subject line.

Report a security issue