Security & Compliance
GateReady is built with security-first architecture. This page documents our current security posture, compliance roadmap, and data handling practices for government evaluation.
Security controls currently implemented and operational across the GateReady platform.
GateReady processes and stores unclassified data with CUI-ready controls.
All data processed by GateReady is publicly available airport security checkpoint wait time information. No classified, sensitive, or restricted government data is ingested, stored, or transmitted by the platform.
GateReady's security architecture is designed to support Controlled Unclassified Information (CUI) handling requirements. While current data is entirely unclassified, the platform's access controls, encryption, and audit logging are built to meet NIST 800-171 requirements for CUI protection.
Airport security checkpoint wait times
Terminal and checkpoint identifiers
Lane type classifications (General, PreCheck, CLEAR)
Historical wait time patterns
Anomaly and threat pattern detections
Aggregated status snapshots
All GateReady infrastructure is hosted within the United States. No data leaves US jurisdiction.
| Component | Provider | Region | Details |
|---|---|---|---|
| Application Layer | Vercel | US Regions | Serverless functions and edge network. All compute runs on US-based infrastructure. Automatic HTTPS with managed TLS certificates. |
| Database | Supabase (PostgreSQL) | US-East-1 (N. Virginia) | Managed PostgreSQL with automatic backups, point-in-time recovery, AES-256 encryption at rest, and connection pooling via PgBouncer. |
| Authentication | NextAuth v4 | US (Vercel) | Self-hosted authentication. Credentials stored in our database with bcrypt hashing. JWT sessions with configurable expiration. No third-party auth data storage. |
| Email Delivery | Resend | US | Transactional email for alerts, OTP verification, password resets, and onboarding sequences. No marketing data shared with provider. |
| DNS & CDN | Vercel Edge Network | US | DNS resolution and content delivery via Vercel's global edge network with US-based origin servers. |
Continuous monitoring, automated anomaly detection, and multi-layer failover ensure uninterrupted service.
Continuous health monitoring of all 50 airports every 5 minutes. Automated alerts when any airport data goes stale or adapters fail.
Machine-driven detection of data spikes, dropouts, flatlines, format changes, and coordinated checkpoint closures (DARK GATE detection).
Automatic isolation of failing data sources after 3 consecutive failures. Prevents bad data from propagating through the system.
3-way failover architecture for data ingestion (primary, secondary, tertiary). Ensures continuous operation even during infrastructure disruptions.
5-layer data quality safety net: hard reject at persistence, gate check at snapshot, consistency enforcer, accuracy audit, and freshness monitoring.
Real-time comparison of observations from multiple independent data sources per airport. Confidence ratings assigned based on source agreement.
GateReady's crisis detection and response system is designed for aviation security scenarios.
Automated crisis detection engine monitors for coordinated disruptions across airports. Named threat patterns (CASCADE, DARK GATE, SURGE FRONT) are identified within 15 minutes of onset.
When a crisis is detected, the system automatically assesses severity, identifies affected airports, and switches to crisis mode — querying ALL available data sources rather than first-wins cascade.
Crisis banners deployed automatically to relevant pages. Affected users receive alerts via email and push notifications. Intelligence briefings generated for enterprise customers.
Continuous monitoring validates when conditions return to normal. Crisis events are not resolved until verified through independent news sources. Full post-incident documentation maintained.
GateReady is committed to responsible data handling and user privacy.
GateReady does not sell, share, or distribute personally identifiable information to third parties. User data is used solely for delivering the checkpoint intelligence service.
GateReady complies with the California Consumer Privacy Act (CCPA). Users can request data export, deletion, and opt-out of data processing through documented channels.
Checkpoint observation data is retained indefinitely for historical analysis and pattern detection. Status snapshots are pruned after 7 days. User account data is retained for the duration of the account and can be deleted on request.
GateReady collects only the data necessary to deliver its service: email address, optional screening type preference, watched airports, and saved trips. No biometric data, no location tracking, no device fingerprinting.
GateReady is working toward WCAG 2.1 AA compliance.
GateReady is actively working toward WCAG 2.1 Level AA compliance. Current implementations include semantic HTML structure, keyboard navigation support, alt text for informational images, and sufficient color contrast ratios. A formal accessibility audit is planned as part of our compliance roadmap.
We welcome security questionnaires, SSP requests, and CISO briefings. Contact our security team to begin your evaluation.