Security & Architecture

Secure by architecture, isolated by design.

FlightIQ is a single-tenant, AWS-hosted management platform for PingOne DaVinci environments. It helps teams compare, migrate, and manage configuration securely while relying on PingOne for authentication and authorization and staying outside the runtime authentication path.

System Overview

FlightIQ is a web-based management and migration tool for PingOne DaVinci environments. It enables teams to compare configurations across environments, migrate flows, connectors, forms, notifications, and variables, and apply updates with visibility into changes.

Security Posture

FlightIQ securely leverages PingOne's authentication and authorization model to orchestrate DaVinci configuration changes without becoming part of the end-user authentication execution path.

High-Level Architecture

Frontend

React single-page application communicating with the backend through secure API calls.

Backend

Node.js and Express handling PingOne API integration, orchestration, comparison, and migration logic.

Hosting

AWS EC2 single-tenant deployment per customer, with Nginx currently in front and ALB planned.

Request Flow

User Browser

Administrator accesses the FlightIQ web application.

HTTPS

→

FlightIQ Platform

Frontend React single-page application

Backend API Node.js / Express orchestration and migration services

Secure API Calls

→

PingOne APIs

System-of-record APIs used for comparison, validation, and controlled changes.

Tenant Isolation Model

FlightIQ uses a single-tenant deployment model. Each customer runs on a dedicated EC2 instance with no shared runtime, storage, or credentials across customers.

Strong Isolation

Customer environments remain separated at the infrastructure and operational level.

Reduced Exposure

The architecture lowers the risk of cross-tenant data exposure or shared-runtime issues.

Clear Boundaries

Dedicated deployment simplifies both security review and operational ownership.

Authentication & Authorization

Authentication

Delegated to PingOne using OpenID Connect. FlightIQ does not implement a custom login system.

SSO & MFA

Supports existing enterprise sign-on, MFA, and identity policies through PingOne.

Authorization

Access is governed by PingOne roles and permissions and mirrors DaVinci boundaries.

No Privilege Elevation

Users can only access environments and actions already permitted by their native roles.

Secrets, Network Security & Recovery

Secrets Handling

Secrets stay server-side, are not exposed to the frontend, and are not intentionally logged.

Network Security

All traffic uses HTTPS. TLS is currently terminated by Nginx, with ALB and ACM planned.

Backup & Recovery

Recovery centers on AWS EBS snapshots, source-controlled code, and reconnecting to PingOne-managed data.

Data Handling Model

FlightIQ is not designed to be a long-term system of record for PingOne DaVinci configuration. It retrieves operational data from PingOne APIs as needed and may cache that data temporarily to support comparison, migration, validation, and administrative workflows.

Source of Truth

PingOne remains the authoritative source for configuration data, not FlightIQ.

Temporary Caching

Retrieved data may be cached locally for performance and workflow efficiency during active use.

No Persistent Replica

FlightIQ does not depend on a full persistent replica of customer DaVinci configuration data.

FlightIQ can perform destructive actions such as deleting flows, but only through the same PingOne and DaVinci APIs and permission boundaries enforced by the native platform.

Runtime Risk Profile

FlightIQ is not inline with production authentication traffic. It does not process end-user authentication directly, intercept login flows, or sit in the critical runtime path for customer sign-in. If FlightIQ is unavailable, customer login flows remain unaffected.