ForeFlight Security

ForeFlight implements industry best practices and follows established standards for security and privacy to attain compliance with widely accepted frameworks. This, in turn, assists our subscribers in meeting their own compliance requirements by upholding high-level security measures and privacy protocols. For any additional questions or security issues identified, please reach out to security-team@foreflight.com.

Compliance Certifications and Memberships

  • ISO 27001:2013 - ForeFlight has earned the globally recognized ISO 27001 certification, demonstrating our ongoing commitment to robust security management and rigorous data protection protocols. ISO 27001 is one of the most widely acknowledged international standards outlining best practices for an information security management system (ISMS). This certification not only reassures our customers of the high-level security measures we have in place but also solidifies our pledge to continuous improvement in information security.
  • ISO 9001:2015 - ForeFlight Houston, Austin, and Portland have earned the globally recognized ISO 9001 certification, demonstrating its commitment to quality management systems (QMS). ISO 9001 sets out a framework of principles and processes that organizations can follow to ensure they consistently deliver high-quality products and services, meet customer expectations, and continually improve their operations.
  • CMMC Level 2 Readiness (DRAFT) - ForeFlight has received a draft CMMC level 2 readiness report. CMMC is a unified standard implemented by the U.S. Department of Defense (DoD) to enhance the cybersecurity practices of defense contractors and safeguard sensitive government information.
  • SOC 2 Type 2 Report EXPECTATION - ForeFlight is on track to achieve compliance with SOC 2 by Q2 of 2024. SOC stands for Service Organization Control, and it is a framework developed by the AICPA to assess and report on the controls implemented by service organizations. SOC 2 specifically focuses on the security, availability, processing integrity, confidentiality, and privacy of data within a service organization.
  • IRAP - ForeFlight has achieved compliance with IRAP. The Information Security Registered Assessors Program (IRAP) is established by the Australian Signals Directorate (ASD) to support the secure delivery of government services and promote the protection of sensitive government information. IRAP compliance demonstrates an organization's commitment to information security and its ability to protect sensitive government information.
  • FedRAMP EXPECTATION - ForeFlight has contracted with a 3PA0 and is working with a sponsor to be FedRAMP authorized and listed on the FedRAMP Marketplace by Q4 2024. FedRAMP (Federal Risk and Authorization Management Program) authorization refers to the adherence of cloud service providers (CSPs) to the security standards and requirements established by the U.S. federal government. FedRAMP is a government-wide program that aims to ensure the security, privacy, and risk management of cloud services used by federal agencies.

Cloud Security

  • ForeFlight hosts data in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. View AWS Compliance information here.
  • AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and your data. View AWS Data Center Controls information here.
  • AWS physical location security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. View AWS Physical Security information here.

Vendor Security

  • ForeFlight reduces risks associated with third-party vendors by performing security assessments on vendors with access to our systems or data.

Network Security

  • ForeFlight’s dedicated Security Team is prepared and able to respond to security alerts and events in a timely manner.
  • ForeFlight’s network is protected through the use of key AWS security services, penetration tests, and network defense technologies that can detect and monitor our resources for malicious downloads and traffic.
  • Our networks and their resources are constantly monitored by AWS native solutions as well as third-party applications. 
  • ForeFlight participates in several vulnerability information sharing programs. We receive updates from these channels and take action based on the associated risk.
  • Access to ForeFlight’s network and resources is restricted by the principle of least privilege and audited on a quarterly basis. Multi-factor authentication as well as logging enhances the security of our environment. 
  • Employees are required to complete security awareness training and appropriate personnel are equipped with the proper tools to run through security incident response processes/runbooks. 
  • All employees undergo a preemployment background check. 

Encryption

  • ForeFlight works to ensure communications are encrypted via industry standard HTTPS/TLS 1.2 or higher over public networks.
  • Data is encrypted at rest in AWS using AES-256 bit key encryption.

Secure Code Practices

  • ForeFlight uses the NIST Special Publication SP 800-64 "Security Considerations in the System Development Life Cycle" as part of its controls to meet both 800-171 and 800-53 moderate.
  • Using SP 800-64 explains the significance of considering security early in the SDLC and provides an overview of security activities and controls that should be incorporated during each phase.

NDA Resources

The following resources may require an NDA on file. Please reach out to security-team@foreflight.com for more information.

  • Annual Penetration Test Summary
  • Business Continuity and Disaster Recovery Test Summary
  • ISO 27001:2013 Certification Report
  • ISO 9001:2015 Certification Report
  • IRAP Certification Report