Security & trust

Your schedule data never leaves
your machine. That's the design.

SSIM Toolkit is a local desktop app. Commercial schedule data — the kind that makes a CISO read the policy before the product page — is read and analysed on-device, and stays there. There is no cloud to send it to.

Local-first by design
No data leaves your device
Deterministic · reproducible
Code-signing · in progress
Data flow

Where the data goes.
And where it doesn't.

Your schedule files

Your schedule files stay where you put them — on your machine. They're opened, parsed, and analysed locally and never uploaded. We have no server that could read them, because there is no server in the path.

The pipeline

Parse → validate → analyse runs entirely on-device, with no network access. The result is deterministic: the same file always produces the same answer, and every output traces back to a field in the spec — no model computes your numbers.

your file (on your machine)
  ↓ parse · validate · analyse  — fully offline
typed, queryable schedule (stays on your machine)
When the network is used

The app may reach the network for two things only: verifying your licence and checking for updates. Neither carries any of your schedule content. You can run the product fully offline within your licence's grace period.

What we never see
  • · Your schedule file contents · ever.
  • · The parsed records, or any personal data inside them.
  • · Your saved queries, bookmarks, or in-app notes.
  • · Anything tying telemetry back to your data.
How it's built

Local-first, by construction.

Your data, on your machine

Schedule files are read, parsed, and analysed entirely on-device. Nothing about your schedules is uploaded, mirrored, or processed on our servers.

The pipeline makes no network calls

Parse → validate → analyse runs fully offline. You can pull the network cable and the product keeps working on the files you have.

Deterministic by construction

Same file in, same answer out. There is no model, no sampling, no guessing — every field is derived from the spec, and runs are reproducible.

Licensing & updates carry no schedule data

Activation and update checks may touch the network, but they send none of your file contents — only what's needed to verify a licence or fetch a release.

No schedule content in telemetry

Optional usage telemetry is anonymous and aggregate. It never contains file contents, parsed records, paths, or anything that identifies your data.

AI access is read-only & on-device

The optional MCP server that lets an AI assistant query your schedule runs locally over a private socket and is strictly read-only — it can explore, never modify — and exposes only schedule/domain information, never internal detail or host paths.

Code-signing

macOS notarization and Windows code-signing are being set up so the installer verifies cleanly on each platform.

Reporting a vulnerability

Email security@activeflights.com. We respond within 24 hours, run a 90-day disclosure window, and credit researchers who report responsibly. PGP key on the contact page.