Skip to main content
Flightline handles mortgage loan files, among the most sensitive data a lender holds. This page covers the API-specific security model. For formal compliance attestations (SOC 2, penetration tests, subprocessor list, and our full security posture) see the Flightline Trust Center:

Flightline Trust Center

SOC 2, controls, subprocessors, and compliance documentation. SOC 2 Type II is in progress; Type I is complete. Request reports and the current subprocessor list there.

Tenant isolation

Every request is scoped to exactly one organization, resolved from your API key, never from a request parameter or header. Isolation is enforced in two independent layers:
  1. The handler filters every query by your organization.
  2. The database session is bound to your organization via row-level security, so a missing filter still cannot return another tenant’s data.
A request for a review outside your organization returns 404 (never 403), so the API never confirms the existence of resources you can’t access.

Encryption

  • In transit: all requests are served over TLS (HTTPS only). Plain-HTTP requests are upgraded/rejected. Document source URLs (for the JSON create variant) must be https.
  • At rest: documents and review data are encrypted at rest in AWS (us-west-2).

API keys

  • Keys are organization-scoped and bound to your tenant.
  • Verified live on every request, so a revoked key stops working immediately; there is no token cache to wait out.
  • Rotate or revoke at any time. Treat a key like a password: store it in a secret manager, never in source control, client-side code, or logs.
  • Keys are sent as Authorization: Bearer <key> (or X-Api-Key). We log only a non-secret key identifier, never the secret itself.

Webhook security

Outbound webhooks are HMAC-SHA256 signed (X-Flightline-Signature); verify every delivery and reject stale timestamps. See Webhooks. Webhook payloads carry only identifiers and status, never borrower data, so the report is always fetched back over an authenticated channel.

Data handling & retention

  • Review data and uploaded documents are stored encrypted in AWS (us-west-2) and processed only to produce your review.
  • Logs and the audit trail record request metadata (organization, key id, route, outcome), never API-key secrets or borrower PII.
  • Retention and deletion follow your agreement with Flightline. To request data deletion or specific retention terms, contact your Flightline representative or see the Trust Center.

Reporting a vulnerability

Email security@flightlinehq.com. Please do not file security issues in public channels.