Security
Last updated · May 28, 2026
VisaPilot handles some of the most sensitive data a person owns — passports, identity documents, and travel records. Protecting that data is foundational to the product. This page outlines the safeguards we have in place.
This page describes our security approach for the current build. Specific certifications and controls should be verified before relying on them for compliance purposes.
01Encryption everywhere
All traffic is served over HTTPS, and documents are encrypted at rest. Sensitive identity data — passports, residencies, and uploaded files — is protected in storage so that it is unreadable without authorized access.
02Access control
Access to your data is governed by strict, role-based controls:
- You control your profile and documents; staff cannot browse your data freely.
- Consultants can only access a profile or document after you grant explicit consent for a specific case.
- Administrative access follows least-privilege principles and requires secure authentication.
03Audit logging
Access to documents and sensitive records is recorded in audit logs, so every view or change can be traced. This supports accountability and helps us detect and investigate unusual activity.
04You control your data
We practice data minimization — collecting only what is needed to provide the service. You can:
- Delete individual documents from your vault at any time.
- Revoke a consultant’s access to a shared case.
- Delete your account and associated data.
Document links are not exposed permanently or publicly; access is granted through short-lived, authenticated requests.
05Separated environments
Production data is kept separate from staging and development environments. Test and demo data never mixes with real traveler information.
06Responsible disclosure
If you believe you have found a security vulnerability, please report it privately to [email protected]. We appreciate responsible disclosure and will work with you to verify and address valid reports promptly.