Skip to main content
Legal documents Security & Compliance

Security & Compliance Overview

Last updated · May 5, 2026

Summary

This document outlines the security, audit, and regulatory controls maintained by Jet Fuel Tenders LLC as a B2B platform supporting airline procurement and fuel supply operations. It is intended for procurement, legal, IT, and audit teams evaluating the platform.

A detailed security packet—including control documentation, network and data flow diagrams, and the most recent penetration test summary—is available to qualified prospects and customers under NDA. Contact [email protected] to request access.

Data Handling

Tenant isolation

Each customer's data is logically isolated. Suppliers can access only the tenders they are invited to; airlines can access only the tenders they create. Cross-tenant access is prevented by design and validated through automated controls.

Encryption in transit

All production traffic is encrypted using TLS 1.2 or higher (TLS 1.3 preferred).

Encryption at rest

Primary databases and object storage are encrypted using AES-256.

Password storage

Passwords are hashed using a modern slow-hashing algorithm with per-user salts. No plaintext storage or recoverable hashes are used.

Document storage

Tender documents, compliance files, and signed bids are stored securely and accessed via time-limited, pre-signed URLs.

Infrastructure & Hosting

Primary hosting

Application infrastructure runs across Tier-1 EU and US cloud providers. The full sub-processor list—including hosting, object storage, and content delivery—is available in the security packet under NDA.

Compliance certifications

Infrastructure providers maintain ISO/IEC 27001 certification and undergo regular third-party audits.

Backups

Encrypted backups are performed daily with defined retention policies.

High availability

The platform is designed for high availability with automated failover.

Access Control

Two-factor authentication (2FA)

Available for all users and required for administrative roles. Supports email OTP and TOTP authenticator apps.

Role-based access control (RBAC)

Admin, Manager, User, and Viewer roles with granular, tender-level and contract-level permissions.

Single sign-on (SSO)

Google and Microsoft OAuth available on all plans; enterprise SSO (SAML, OIDC) available on request for Enterprise plans.

Session management

Session tokens are rotated on privilege changes, with configurable idle timeouts.

Internal access controls

Production access is restricted to a limited engineering team, protected by 2FA and fully audit logged. Non-technical personnel do not have access to production data.

Audit Logging

The platform maintains comprehensive audit trails suitable for procurement and financial review:

  • All tender, bid, and contract records are versioned with field-level change tracking, including timestamps and user attribution.
  • Authentication events (logins, failures, 2FA challenges, credential changes) are logged with relevant metadata.
  • API and access logs are retained for defined periods to support security monitoring and debugging.
  • Audit data is available to Enterprise customers on request.

Incident Response

  • Business-hours support coverage with defined severity levels and response procedures.
  • Automated alerting on authentication failures and security-relevant events; logs are reviewed regularly.
  • Post-incident reviews are conducted and made available to affected customers on request.
  • Breach notifications are issued in accordance with applicable regulations, including GDPR and CCPA.

Vendor Due Diligence

Sub-processors are reviewed on a recurring basis. The current list—including cloud hosting, email delivery, monitoring, analytics, and payment processing—is available in the security packet and updated as vendors change.

Regulatory Considerations

GDPR

Standard Contractual Clauses are available for international data transfers. Data subject rights are described in the Privacy Policy.

CCPA / CPRA

California privacy rights are supported in accordance with our Privacy Policy.

IATA Fuel Tender Standard

Bidirectional XML exchange aligned with IATA FTS for integration with airline ERP systems.

Export controls

The platform does not facilitate transactions involving sanctioned jurisdictions or restricted parties. Customers are responsible for compliance with applicable sanctions and trade regulations.

SAF Mandate Compliance

The platform supports tracking of Sustainable Aviation Fuel (SAF) compliance, including neat SAF volumes, voluntary blends, mandated percentages, and tiered pricing structures.

Customers remain responsible for ensuring that platform configurations align with applicable regulatory requirements (e.g., EU ReFuelEU Aviation, UK SAF mandate, US LCFS).

Security Packet

For full compliance documentation—including platform security controls, architecture diagrams, sub-processor list, penetration test summary, and business continuity materials—contact [email protected]. Access is provided under NDA, typically within two business days.