← Back to home

Security

Last updated: 6 April 2026

PassagePlan Pro takes the security of your vessel and passage plan data seriously. This page describes the technical and organisational measures we employ to protect your information.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. This includes plan data, vessel particulars, authentication credentials, and API communications. We enforce HTTPS on all endpoints with no fallback to unencrypted connections.

Encryption at Rest

All data stored in our database is encrypted at rest. Our database is hosted by Supabase on infrastructure that provides AES-256 encryption for data at rest, including all passage plans, vessel data, and user information.

Authentication

User authentication is handled by Supabase Auth with:

  • Email and password authentication with secure password hashing (bcrypt)
  • Session-based authentication with secure, httpOnly cookies
  • Automatic session expiry and renewal

Row-Level Security

Our database enforces row-level security (RLS) policies on every table. Users can only read and write data belonging to their own company. This is enforced at the database level, not just the application level, providing defence in depth. A user from Company A cannot access plans, vessels, or crew data from Company B under any circumstances.

Role-Based Access Control

The platform implements role-based access:

  • Admin — full access to all company data, fleet management, crew management, settings, and billing
  • Crew — access to assigned vessel data and passage plans only

API Key Security

API keys for programmatic access are:

  • Generated with cryptographically secure random values
  • Stored server-side only — never exposed to the browser or included in client-side code
  • Scoped to a single company
  • Revocable at any time by admin users

Third-Party API Keys

All third-party API keys (Anthropic, weather services, tidal data providers) are stored as server-side environment variables. They are never sent to or accessible from the client browser.

Payment Security

Payment processing is handled entirely by Stripe. We do not store, process, or have access to your payment card details. Stripe is PCI DSS Level 1 certified.

Infrastructure

  • Application hosted on Vercel with automatic HTTPS, DDoS protection, and edge caching
  • Database hosted on Supabase with automated backups, point-in-time recovery, and connection pooling
  • No customer data is stored on local servers or developer machines

Security Updates

We maintain our dependencies and apply security patches regularly. Our deployment pipeline ensures updates are rolled out quickly when vulnerabilities are disclosed in upstream packages.

Responsible Disclosure

If you discover a security vulnerability in PassagePlan Pro, please report it responsibly to tyrone@passageplanpro.com. We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities promptly. We ask that you do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it.