Safe & Protected

In our final edition of the Safety Series, Part 3 delves into data protection and the protocols put in place at Avy. With a guest piece by Auterion, we explore why data is gathered during first response operations and how it’s protected in accordance with GDPR standards.

Avy Aera drone for emergency services

Data privacy

High level of safety standards for the Avy Aera also means that at Avy we focus on creating safe handling of data that is captured by the aircraft when airborne. Since drones can often be seen as privacy invaders, data protection is taken seriously at Avy and the reason we want to stay far away from invading privacy with our lifesaving drone. Legal limitations to data gathering are key to making sure that the public can trust commercial drones that fly overhead.

A drone has a bird’s-eye view which gives the opportunity to see things from a different perspective. This helps with operations for fire-fighters who can spot wildfires, perform search and rescue missions and create quick situational awareness during incidents. Companies can also use drones to map areas of interest and create valuable insights from the data they gather like for wildfire prevention.   

In all of these cases, two elements are key to data protection maturity: purpose and process. It is key to have a purpose behind gathering data and a transparent process in place to demonstrate that while only relevant data is gathered, safety, security and fundamental rights of people are always addressed at Avy. 

Data gathered during first response missions

The Avy Aera has a camera module that can be equipped with a visual and thermal camera. This camera payload has the capability to zoom 40 times. Its imagery is both saved onboard in-flight and immediately sent to the cloud-based solution via LTE. It only records when it is sent permission to record by the user, making sure that an overhead drone can also fly over without recording people that are not deemed relevant nor have been given permission by the end-user. 

Regulations that have already been established for data gathering through video recorders, also apply to drones. In all cases, local regulations should be adhered to at all times while filming in public spaces. Often capturing feed about public spaces is allowed, while filming of specific people is not. Permission is needed when specific people or buildings are recorded. Avy only works with partners that follow such regulations and seeks to make sure that the local regulatory framework is developed well enough before drones are deployed for commercial purposes. 

An example of such partners is the EU. Our ties with the EU were made stronger in July 2020, when we were granted the EIC Accelerator subsidy grant of 1.4 million €, to help us with expanding our experience and expertise in Europe. The EU commission takes privacy extremely seriously and has identified priority areas where it could play a leading role when integrating commercial drones. With innovation as a core driver of the EU, it seeks to foster enabling technologies by guaranteeing security and protecting citizens’ fundamental rights, through privacy and data protection (see EU General Data Protection Regulation - GDPR).   

Avy Aera VTOL drone and docking station
Avy Aera for First Responders

How data is protected at Avy

With our mission of doing good, we seek partnerships with renowned players in the field to  develop meaningful drone technology that will help save lives. Our partners have been working in the field of urgent medical transport and first response for several decades, saving the lives of many and earning the trust of local communities. We ensure that all our operations are for a good cause, especially those using a camera payload like for firefighting missions. A big part of making sure that we’re doing good is having the right protocols in place that will guarantee privacy protection for our partners and communities. We interviewed David, our head software engineer who shared a few examples of our data privacy protocols: 

  • Only users that Avy gives access to can remotely connect to our aircraft
  • Only Avy employees are able to access flight logs
  • To protect our data we use a 256-bit VPN service
  • All our software updates are encrypted with SHA-256 hash function
  • We use cryptographic protocol SSH to access our backend
  • For our RC system we use 128/256-bit AES Encryption
All of these measures help us guarantee data protection and greatly lowers the risk of interference or attacks from unauthorised users. This allows us to fly our aircraft freely in the knowledge that it is protected from any form of cyber attack.
David, head software engineer

As we continuously strive to improve our technology and take our safety-by-design principle as a benchmark, it’s among our key priorities and a main consideration for our clients in first response and medical delivery, to further enhance the reliability of our data processes by incorporating privacy-by-design methods in future aircraft. 

Powered by Auterion

We also spoke to our Swiss software partner Auterion who shed light on the security measures and protocols from their software side. Through our integration, Auterion provides Avy with the backend service as well as the hardware that enables us to use such security systems. Some concrete examples include: 

  • Encrypted communication: During vehicle pairing between the ground control station and the vehicle, an encrypted communication channel is automatically established. This ensures secure communication between the controller and the drone. With Auterion Mission Control (on the ground) and Auterion Enterprise PX4 (on the vehicle), this channel is established independently of the radio module in use (which is very convenient, because usually this has to be configured separately for each radio module in use).
  • Secure boot loader: The flight controller will only boot with signed firmware, to avoid that users install their own firmware which could introduce security risks during operations
  • No-storage mode: Auterion Enterprise PX4 (the flight control stack) as well as Auterion Mission Control (the ground control software) can be configured to run in "no-storage mode". In this mode no log data will be stored on the local storage of the drone or the ground controller. This protects sensitive log data from being extracted from the drone or the ground controller.
  • Cloud security: The data in the Auterion Suite is protected with state-of-the art cloud security measures and customers can optionally use multi-factor authentication to protect cloud access.

Integration with client processes

The 21st century is the age of data. Filtered data can be used for client processes, and is an asset to any organisation. Insights can make crops grow faster, discover plastics at sea, save lives at sea, prevent wildfires, predict wildlife patterns and do good in so many more ways.

To make sure customers have full control over the data as an asset, authorisation levels can be implemented in an organisation to give the right information to the right people. In the EU, the GDPR regulatory compliance can be achieved with our technology while saving our data on EU-based servers. Data is always communicated through encrypted channels and can be removed when it is deemed necessary.  

In this way our partners can use our drone technology to gather data in a safe and compliant way. Public acceptance is everything and at Avy we want to address the societal concerns regarding drones. Drones for good also means data protection for good.


EU Privacy and data protection implications of the civil use of drones