Transparency.
The aviation software market has a credibility problem. Marketing claims pilots can’t verify; data residency that’s vague on purpose; “AI-powered” wrappers that nobody can audit. We build for an audience that cross-checks. So here is what we can show you.
Open-source acknowledgment (AirWorthFPL is AGPLv3)
Airworth Flights (fpl.airworth.app) is published under the GNU Affero General Public License v3.0. The repository lives at:
github.com/Dvorf/AirWorthFPL (rel=external)
You can read the code. You can host it yourself. If you do host it and modify it, AGPLv3 requires you to publish the modifications under the same license, including for users who interact with the modified version over a network. We accept that constraint deliberately.
Airworth Hangar (portal.airworth.app) is closed-source today. We will publish components as we extract them; until then, the trust mechanism is the feature truth-table, the data-export commitment below, and our willingness to be specific about what does and does not work.
Data export commitment
Both products provide self-service data export.
In Airworth Hangar, the GDPR self-service export and delete flow ships today. Two-stage with 30-day recovery on the delete side. The export bundles JSON for structured data, an R2 zip for documents, and a PDF summary intended to be readable by a human auditor.
In Airworth Flights, trip data exports as PDF (cover page, images, notes) per trip. Document attachments stored in R2 are downloadable individually. A consolidated GDPR export is in our roadmap, not yet shipped.
If we shut down, get acquired, or change pricing in a way you don’t accept — your data leaves the building with you.
Where your data lives
| Surface | Hosting | Notes |
|---|---|---|
airworth.app (this marketing site) | Cloudflare EU edge | Static / SSR via Cloudflare Workers |
portal.airworth.app (Hangar) | Cloudflare EU (Workers + D1) | EU edge + EU D1 region; metadata routed globally per Cloudflare’s network |
fpl.airworth.app (Flights) | Cloudflare EU (Workers + D1 + R2) | Same constraint |
shop.airworth.app (Hangar shop portal) | Cloudflare EU edge | Magic-link external surface |
| Marketing email sending | Resend, EU region (eu-west-1) | Sender domain airworth.app (apex) |
| Aggregate analytics | Plausible Cloud, Frankfurt EU | Cookieless |
| Error monitoring | Sentry, US region | Subset of error events; not user content |
Sub-processors and data flow
We use the following sub-processors. Each is bound by a written DPA. Detailed legal-bases mapping lives in the Privacy policy.
- Cloudflare, Inc. — edge hosting, DNS, Turnstile bot protection, D1 storage, R2 object storage, Workers runtime. Transfer mechanism: EU–US Data Privacy Framework + 2021 SCCs.
- Resend (Resend, Inc.) — transactional and marketing email delivery, EU sending region. Transfer mechanism: EU–US DPF + 2021 SCCs.
- Sentry (Functional Software, Inc.) — application error monitoring, US region. Transfer mechanism: EU–US DPF + 2021 SCCs.
- Plausible Insights OÜ — cookieless aggregate analytics, EU. Intra-EEA, no extra-EEA transfer mechanism required.
We do not sell your personal data and we do not share it for cross-context behavioral advertising as those terms are defined under the California CCPA/CPRA.
Security disclosures
If you find a security vulnerability, email security@airworth.app with a description and proof-of-concept. We will acknowledge within 5 business days. We do not run a paid bug bounty today; we do credit responsible reporters in release notes if they want to be credited.
We use:
- Cloudflare Turnstile on public forms.
- API rate-limit on Hangar (per-token shop bucket; auth and endorsement endpoints rate-limited).
- Server-side schema validation (Zod / equivalent) on every write surface.
- Sentry for application observability across three projects (
airworth-frontend,airworth-api,airworth-front-shops). - Plain-text confirmation emails (no HTML banners with embedded scripts).
Past incidents and material change-log lives in the privacy policy version history; we will publish a public change-log when there is enough to publish.
Read the privacy policy for the full data-handling detail. Or view AirWorthFPL on GitHub (rel=external) if you’d like to verify the Flights code yourself.