Security and data protection

RUTA handles passport details, payment methods, and travel histories — data that has to be protected end to end. Here's how: sensitive personal data is encrypted at rest with AES-256-GCM, all transit is TLS-protected, and payments are tokenized through Stripe so card details never touch our servers.

Encryption at rest

Sensitive personal data — passport numbers, dates of birth, phone numbers, home addresses, Known Traveler Numbers, and loyalty numbers — is encrypted at rest using AES-256-GCM. Encryption keys are managed separately from the database that stores the encrypted data.

Encryption in transit

All traffic between your browser, the RUTA application, and our travel and payment partners runs over TLS. We don't accept unencrypted connections.

Payments handled by Stripe

Card details are submitted directly to Stripe and tokenized; RUTA receives only a token referencing the payment method. Full card numbers are never stored on RUTA infrastructure. Stripe is a PCI-DSS Level 1 service provider — the highest certification level.

Account access

Passwords are hashed with industry-standard algorithms; RUTA never stores raw passwords. Sessions are bound to your device and expire after a period of inactivity. You can sign out of all sessions from your account settings.

Reporting a security issue

If you believe you've found a security vulnerability in RUTA, please email jack@ruta-ai.com with the details. We take responsible disclosure seriously and will work with you on remediation and credit.