Trust · Sealed at Issuance

Auditor-ready,
by construction.

A Flightline report is the evidentiary record itself. Sealed at issuance, independently verifiable for seven years, and reconstructable without our systems in the loop.

Verify any Flightline report.

Paste a document ID. We confirm the SHA-256 digest against the record we sealed at issuance. No login, no integration, no account required.

Document ID

Every Flightline report is SHA-256 sealed at issuance. Paste a document ID to confirm authenticity against our records.

Enter a document ID and hit verify to see the result.

Frameworks & attestation

SOC 2® Type 1

Johanson Group LLP · AICPA Trust Services Criteria

Report issued · May 2026

PEN

Penetration tested

Aikido Security · April 2026

Passed · Report on file

GDPR

Data residency

US East · US West · optional EU

Encrypted at rest · AES-256

Four pillars of defensibility.

§ 01 · SEAL

Sealed at issuance.

Every report is fingerprinted with a SHA-256 digest at the moment of issuance and stored alongside the record in our audit trail. The digest covers every page, every citation, every signed disposition. If a single byte is altered post-issuance, the fingerprint no longer matches. The signed report and its digest are retained for the full retention window and provided on request.

AlgorithmSHA-256

StorageAudit trail · per-tenant

Retention7 years · renewable

AccessOn request to your auditors

§ 02 · DATA

Loan files never leave encrypted custody.

Files are encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are rotated quarterly; per-tenant keys are never co-mingled. Flightline has read access to your files only for the duration of the review.

In transitTLS 1.3

At restAES-256

KeysAWS KMS · per-tenant

Tenant isolationPer-tenant keys

§ 03 · AUDIT

A trail a post-close examiner can follow.

Every finding records four artifacts: the rule as published on review date, the evidence examined (with digests), the disposition signed by a named lender officer with employee ID, and the timestamp chain of events. You can reconstruct the review three years later without Flightline’s systems in the loop.

Rule provenanceSelling guide eff. date

Evidence chainPer-doc digest · 142 typical

Signing recordOfficer · title · ID · ts

ExportPDF + JSON

§ 04 · FAIR LENDING

Continuously evaluated for fair lending and compliance.

The checks driving each review are evaluated against real production traffic on a recurring cadence. We run disparate-impact and fair-lending evaluations, regulatory-rule coverage audits, and outcome-drift checks, and we tune allowances, thresholds, and sensitivity in response. You can see which checks changed, why they changed, and when they took effect. No silent updates.

Fair lending evalRecurring · disparate-impact

Reg coverage auditQuarterly

Drift monitoringContinuous · outcome-level

Change logPublished · versioned

The fine print.

Data handling

IngestionSFTP · Portal · Email · REST APIAll channels TLS 1.3. Inbound mail signed DKIM.

ResidencyUS-East (default) · US-West · optional EU-Central

Encryption at restAES-256 · envelope · KMS

Encryption in transitTLS 1.3 · HSTS · forward-secret

Key rotationQuarterly · per-tenantNo cross-tenant key material.

SubprocessorsAWS · GCP · VercelFull list at trust.flightlinehq.com/subs.

Access & audit

Employee accessShort-lived credentialsIAM federated. No standing read.

Production changesPeer-reviewed · audit-logged

Vulnerability disclosuresecurity@flightlinehq.comPGP on file. 90-day disclosure.

Last penetration test2026-04-11 · Aikido

Incident responseRTO 4 h · RPO 15 minTabletop exercise quarterly.

Diligence on us first.

SOC 2® Type 1 report, penetration test report, data-handling questionnaire, and architecture diagram available under NDA. Email us or start with ten files.

Request diligence pack→

Auditor-ready,by construction.