Security & Data Handling

Last updated: March 25, 2026

stationOS is built for fire and EMS departments, and we take the security of your operational data seriously. This page explains how we protect your data, where it lives, and how we approach compliance questions that fire & EMS customers commonly ask.

1. Infrastructure and Data Residency

All stationOS infrastructure runs on Amazon Web Services (AWS) in standard US regions. Your data is stored in the United States and never leaves US borders. Traffic is routed through Cloudflare for TLS termination, DDoS protection, and performance.

2. Encryption

• In transit: All connections to stationOS are encrypted via TLS, enforced at the Cloudflare edge. Unencrypted HTTP requests are automatically redirected to HTTPS.
• At rest: All data stored in our database (Amazon Aurora) is encrypted using AES-256 via AWS Key Management Service (KMS). This is enabled by default and applies to the underlying storage, automated backups, and snapshots.

3. Backups and Availability

Database backups are handled automatically by Amazon Aurora with continuous, incremental backups. Point-in-time recovery is available within the backup retention window. The application tier is stateless — no sensitive data is stored outside the database.

4. Access Controls

Access to stationOS is managed through our identity provider (Zitadel) with support for:

• Role-based access control (admin, officer, firefighter)
• Multi-organization support with per-org permissions
• Time-based one-time password (TOTP) for two-factor authentication
• Session management with secure, scoped cookies

Access to production infrastructure is restricted to authorized personnel and requires authentication.

5. Why Not AWS GovCloud?

AWS GovCloud is designed for workloads that involve classified data, export-controlled information, or data subject to ITAR/EAR regulations. stationOS does not process any of these data types.

stationOS handles operational and administrative data for fire and EMS departments — apparatus inspections, incident reports, patient care reports, and certification records. This data does not require GovCloud-level isolation, and standard AWS US regions provide the encryption, access controls, and compliance certifications appropriate for our use case.

This is a deliberate, informed decision — not an oversight.

6. CJIS Compliance

The Criminal Justice Information Services (CJIS) Security Policy applies to systems that access, store, or transmit Criminal Justice Information (CJI) — data like criminal history records, fingerprints, and law enforcement case files.

stationOS does not handle CJI. Our platform manages operational data: apparatus inspection checklists, NFIRS-style incident reports, and personnel certification tracking. None of this data falls under CJIS jurisdiction, so CJIS compliance requirements do not apply to stationOS.

7. HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) applies to systems that handle Protected Health Information (PHI) — individually identifiable health records, treatment histories, and similar medical data.

stationOS / charts is designed to be HIPAA-compliant for patient care reporting. All PHI is encrypted at rest and in transit, with audit logging and role-based access controls. While other stationOS modules (bay, reports, personnel) do not store or process PHI, the charts module maintains the safeguards required for handling patient data.

8. Incident Response

Fireline Colorado, LLC complies with Colorado’s data breach notification law (CRS 6-1-716). In the event of a security breach involving personal information, we will:

• Conduct a prompt, good-faith investigation to determine the scope and likelihood of misuse
• Take immediate steps to contain the breach and prevent further unauthorized access
• Notify affected Colorado residents within 30 days of determining that a breach occurred, as required by state law
• Notify the Colorado Attorney General if the breach affects 500 or more individuals
• Provide a clear description of what happened, what data was involved, and what steps we are taking to address it

9. Questions

If you have questions about our security practices or need additional detail for your department’s review process, contact us at hello@stationos.io.