Your deal data stays private.
No exceptions.
Aviation transactions are confidential by nature. FlareForge is built so your deal pipelines, counterparty relationships, and valuation work stay inside your organisation — encrypted, isolated, and fully under your control. Here’s exactly how we do it, and what we commit to in writing.
Built secure from the ground up.
Not bolted on after.
Six layers of protection built directly into the platform — covering your data, your credentials, your payments, and your team’s access.
Encryption in transit and at rest
All data moves over TLS 1.3. OAuth tokens and email integration credentials are encrypted at rest using AES-256-GCM. Database passwords are hashed with bcrypt. Nothing sensitive is stored in readable form.
Organisation-level data isolation
Every organisation is fully separated at the database layer. Your deals, contacts, and pipeline data are scoped exclusively to your firm. No other user or organisation can access your records under any condition.
Email access via OAuth 2.0 only
Gmail and Outlook connect through official OAuth 2.0 — the same standard used by Google and Microsoft themselves. We never ask for or store your email password. You can revoke access in one click from your settings at any time.
UK data residency
Production data is hosted on dedicated infrastructure inside London, UK. Daily encrypted backups are held across two separate offsite locations with a 30-day recovery window. Your data never leaves UK jurisdiction.
Payments via Stripe — PCI DSS Level 1
Subscription billing runs entirely through Stripe. Your card details never touch FlareForge servers — they go directly to Stripe, which holds PCI DSS Level 1 certification. We hold only an encrypted reference token.
Role-based access and session control
Admin and Member roles control what each person in your team can see and do. Inactive sessions close automatically. New team members require a verified email invite. All access changes are logged.
TLS 1.3 — Qualys SSL Labs grade A
Both flareforge.cloud and app.flareforge.cloud hold an A grade from Qualys SSL Labs — independently verified June 2026. TLS 1.3 is enforced on all connections. No legacy protocol support. No exceptions.
What we will never do.
Not buried in a terms document. Not subject to change without notice. These are hard commitments — written plainly, for aviation professionals who need to know exactly where their data goes.
Sell or share your data with third parties
Your deal pipelines, counterparty relationships, and interaction histories belong exclusively to your firm. We never sell, license, or share your data with any external party for any purpose.
Use your data to train AI models
Your deal data, valuations, uploaded documents, and workflow activity are never used to train AI models — by FlareForge or anyone else. Where FlareForge uses AI features, your inputs are processed to return a result and nothing more. They are never retained, shared with model providers for training, or used to improve any AI system.
Access your mailbox without your consent
Gmail and Outlook connections are opt-in, read-only, and revocable in one click from your settings. We only process what you explicitly connect. You stay in full control.
Store your payment card details
Card details go directly to Stripe and never pass through FlareForge servers. We hold only an encrypted token. We cannot see, store, or recover your card number.
Allow one firm to access another’s data
Organisations are isolated at the database level — not just in the interface. No user from another firm can view or query your data under any condition.
Retain your data after you leave
When you close your account, your data is permanently deleted. You can export everything first. There are no hidden retention windows and no secondary copies kept for our benefit.
Questions we get asked before anyone signs up.
Can FlareForge staff see my deals or contacts?
No. Your data is scoped to your organisation and is not visible to FlareForge staff under normal operations. If you raise a support request that requires us to investigate, any temporary access must be explicitly authorised by your account administrator and is fully logged.
What happens to my data if I cancel?
You can export everything before you leave — deals, contacts, documents, and transaction history. After cancellation, your data is held for 30 days to protect against accidental closure, then permanently deleted. No hidden copies, no secondary retention.
Is my email connection secure?
Yes. Gmail and Outlook connect via OAuth 2.0 — the same standard used by Google and Microsoft for third-party integrations. We never ask for or store your email password. You can disconnect your mailbox in one click from your settings at any time.
Where is my data physically stored?
Your data is stored on dedicated servers in London, UK. Daily encrypted backups are held across two separate offsite locations — Google Cloud Storage and Backblaze B2 — with a 30-day recovery window. Your data never leaves UK jurisdiction.
Is FlareForge UK GDPR compliant?
Yes. FlareForge is operated by Studio Launch Ltd, registered in England and Wales (No. 16430935). All data is processed within UK infrastructure under UK GDPR. We act as a data processor — your firm remains the data controller and retains full ownership of your data at all times.
Can I export everything before I decide?
Yes. You can export your full dataset at any time — PDF summaries, Excel workbooks, and CSV files across all modules. No lock-in, no friction, no need to contact support. Your data is yours to take whenever you choose.
Found a vulnerability?
Tell us first.
We take security reports seriously. If you discover a vulnerability in FlareForge, please contact us directly before disclosing it publicly. We commit to acknowledging every report within 72 hours and keeping you informed throughout our investigation.
security@flareforge.cloudWho you’re dealing with.
FlareForge is operated by Studio Launch Ltd, a private limited company registered in England and Wales. You can verify our registration on the Companies House public register at any time.
Studio Launch Ltd operates a suite of business platforms. The security architecture, data handling commitments, and legal framework described on this page apply across all products operated by Studio Launch Ltd.
Everything running.
See for yourself.
Real-time status checks run directly from your browser against our live endpoints. No third-party monitoring service. No cached results.
Active security maintenance.
Not a static document.
We publish a record of security-relevant changes to this page — so you can see that our security posture is actively maintained, not just written once and forgotten.
Talk to us before you commit.
If you handle confidential aviation transactions and want to understand exactly how your data is protected before signing up, we’re happy to walk you through it. No sales pitch. Just answers.
14-day free trial · No card required · Cancel any time