◆ DATA RESIDENCY
Where your data lives.
NorthSky AERO is hosted in Indian cloud regions. All passenger, surveyor, complaint, and operational data is processed and stored within India by default.
Primary region
India · Central + South (Microsoft Azure)
Backup region
India · paired region — disaster recovery only, never outside India
Cross-border transfer
None by default. Required transfers (e.g. ACI ASQ submissions) are explicit and consent-based.
Customer-managed keys
Available on the Enterprise plan.
Tenancy
Per-airport logical isolation. Separate access controls per station.
◆ AI GOVERNANCE
How we run AI,
and what we won't do with it.
NorthSky AERO is an aviation AI platform. The controls below describe how we evaluate, deploy, and audit models — and where the limits are. This is the section procurement and information-security teams ask about first.
Inference region
India. All inference for Indian customers runs inside Indian cloud regions. No cross-border inference by default.
Training-data policy
No customer data is used to train shared models. Any customer-specific tuning remains inside that customer's tenancy. Base models are evaluated and updated by NorthSky on internal datasets only.
Human-in-the-loop
Sensitive categories — safety, security, accessibility, harassment — queued for human review before action. Definitions configurable per customer.
Evaluation cadence
Quarterly. Per-capability metrics against held-out aviation data. Promotion gated on metric thresholds.
Audit trail
Every AI decision — classification, routing, forecast — logged with confidence + actor + timestamp. Regulator-exportable.
Model versioning
Every promoted model versioned. Rollback supported with full state preservation. Per-version evaluation log retained.
Base model families
Multilingual NLU · speech-to-text · object detection · multi-object tracking · time-series forecasting · LLM-based summarisation. Specific model versions disclosed in the security questionnaire under NDA.
Bias-mitigation review
Per use case before promotion. Documented in the model card. Re-reviewed on retrain.
Standards alignment
ISO/IEC 42001 (AI management systems) framework — evaluating. Public position taken when implementation matches the standard.
What we won't do. We won't train shared models on your data. We won't promote a model without a quarterly evaluation. We won't take a sensitive-category decision (safety, security, accessibility, harassment) without a human in the loop. We won't display certification logos we haven't earned.
◆ PRIVACY
DPDP Act 2023, by design.
India's Digital Personal Data Protection Act, 2023 is the starting assumption — not an afterthought.
- Lawful basis for every passenger data capture, recorded at the point of collection.
- Consent management built into kiosks, QR flows, and the surveyor app — including withdrawal and rectification.
- Data minimisation — we collect only what the survey or complaint requires.
- Data principal rights — access, correction, erasure, grievance redressal as first-class workflows.
- Named contacts — a designated Data Protection Officer and a published grievance redressal officer.
- Audit trail — every access to personal data is logged and retained for the statutory period.
◆ SECURITY
How we protect the data.
A layered posture covering identity, network, data, application, and operational controls.
Encryption · transit
TLS 1.2+ for every public endpoint, certificate management automated.
Encryption · at rest
AES-256 across object stores, databases, and backups.
Authentication
SSO via OIDC / SAML, optional enforced MFA, IP allow-lists for admin surfaces.
Authorisation
Role-based access with airport-level scoping; least-privilege default.
Audit logging
Tamper-evident logs of administrative actions, configuration changes, and personal-data access.
Vulnerability management
Continuous scanning, third-party penetration test annually.
Backups
Daily snapshots, point-in-time recovery within 35 days, geo-redundant within India.
Incident response
Published runbook, customer notification SLA of 72 hours for confirmed personal-data breaches.
◆ STANDARDS
What we're aligned to,
and what we're certifying.
We're transparent about the difference between "aligned with" (we build to the framework) and "certified to" (an external auditor has attested).
ICAO Doc 9184
Aligned — service-excellence framework informs feedback/survey instruments.aligned
DGCA quarterly CSS
Format and cadence match — produced from AeroFeedback for AAI airports.in use
ACI ASQ
Benchmark-ready — survey design feeds participating airports' submissions.aligned
DPDP Act 2023 (India)
By design — controls described above.in scope
ISO/IEC 27001
Information security management system.in progress
SOC 2 Type I
Service-organisation controls.in progress
GDPR readiness
For customers with EU passenger exposure.on request
Honesty about certification. We do not display logos for certifications we have not earned. ISO 27001 and SOC 2 work is in flight with target completion in 2026. We're happy to share auditor name and progress under NDA.
◆ ARCHITECTURE
How the platform is structured.
A high-level view for IT teams evaluating fit. We share detailed diagrams under NDA — the goal here is enough context to ask the right follow-up questions.
◆ EDGE
Where passengers and surveyors touch the system. Web, mobile, kiosk, QR, and integrations into existing airport screens. Designed offline-first for surveyor field workflows.
◆ APPLICATION
Product modules — AeroFeedback, AeroSurvey, AeroResolve, AeroVision, ATOMS. Each module is independently licensed but shares the underlying tenant model.
◆ INTELLIGENCE
AI services — multilingual transcription, complaint classification, sentiment analysis, video analytics. Models are evaluated quarterly; human-in-the-loop review for sensitive categories.
◆ DATA
Per-tenant data stores for transactional records, time-series operational data, evidence (photos/audio/video), and the unified customer record. All inside India.
◆ INTEGRATION
Open APIs for inbound feeds (DCS, flight schedules, BHS, ground handling) and outbound exports (DGCA, BI dashboards, ERPs). Standards-based: REST, webhooks, SFTP for batch.
◆ PLATFORM
Identity, audit, observability, and tenant administration. One login, one billing line, one set of access controls — across every product the customer has turned on.
◆ INTEGRATIONS
How we plug into your systems.
Standards-based interfaces — no proprietary connectors required to get value.
- Inbound — flight schedules (AODB), DCS check-in events, ground-handling rosters, BHS exceptions, CCTV streams (for AeroVision), public-address triggers.
- Outbound — DGCA quarterly CSS exports, ACI ASQ-aligned reports, BI/data-warehouse syncs, ticketing/ITSM hooks, email/SMS/WhatsApp delivery for passenger flows.
- Identity — SSO via SAML 2.0 or OIDC against your existing IdP (Azure AD, Okta, Keycloak).
- Custom — REST APIs and webhooks for everything user-visible in the product. SDK on request.
◆ SUPPORT
What you can expect from us.
Service hours
24×7 monitoring; business-hour response for non-critical (Mon–Fri 09:00–19:00 IST).
Critical (P1)
15-minute acknowledgement, dedicated bridge for production outages.
High (P2)
2-hour acknowledgement, same-day target.
Uptime target
99.9% monthly for Standard. 99.95% with service credits on Enterprise.
Account team
Named Customer Success Manager on Premium and above; Technical Account Manager on Enterprise.
Status page
Public incident history at status.northsky.ai (in setup).
◆ NEXT STEP
Need the full questionnaire?
We respond to RFIs and information-security questionnaires under NDA. Most customers receive a complete response within five working days.
- security@northsky.ai — for infosec, privacy, and architecture questions.
- hello@northsky.ai — for general commercial and procurement enquiries.
- Registered office — Sonido Labs Pvt Ltd, Hyderabad, India.