Online Safety Act — Risk Assessments and Position
Last updated: June 25, 2026
This is an internal accountability record. It states vAMSYS's position under the Online Safety Act 2023 (OSA) and contains our illegal-content risk assessment, our children's access assessment, and our children's risk assessment, together with our governance and review arrangements. It supports — and does not change — our Terms of Service or any policy that forms part of them. Words defined in the Terms of Service — such as User, Pilot, Owner, VA Staff, Virtual Airline (VA), Services and Team vAMSYS — have the same meaning here. vAMSYS LTD (company number 09982167), 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, is the provider of the Services. Contact: help@vamsys.co.uk.
§1 Scope and approach
The Services let Users post content that other members can see within a Virtual Airline, so vAMSYS is an in-scope user-to-user service under the OSA. We do not rely on an out-of-scope argument.
We assess vAMSYS as a small, low-risk service:
Access-controlled. There is no openly browsable public content surface beyond a VA's login and registration page; content is shared within a closed membership.
Niche, aviation-focused content. User-generated content is limited and operational (flight reports and notes, VA names/branding, staff notes, profile fields, corporate-site feedback).
No high-risk functionalities. No live-streaming, no anonymous mass broadcast to strangers, no adult-content hosting, no virality/recommender features pushing content to non-members, and no encrypted messaging marketed to evade moderation.
Real identity, not anonymity. Users register with their real name (Terms of Service §3.1–§3.2), reducing the anonymity that drives much online harm and supporting traceability.
How we assess. Proportionate to a small, low-risk service, our assessments follow the shape of Ofcom's risk-assessment approach: we consider the OSA harm categories, the service's risk factors (user base, functionalities, content types, business model), the likelihood and impact of harm, and the controls already in place; and we keep dated records, reviewed at least annually and on any material change (§6). "Small" is not, by itself, our defence — the defence is the documented low risk.
§2 Illegal-content risk assessment
Risk factors. Closed-membership, access-controlled platform; real-name accounts; niche adult aviation hobby; small user base; subscription business model (no ad-driven amplification); no viral-distribution or anonymous-broadcast features.
Priority and other illegal content. We assessed the likelihood of each OSA priority-offence kind appearing and spreading on the Services. Across the categories — terrorism; child sexual exploitation and abuse (CSEA/CSAM); encouraging or assisting suicide or serious self-harm; hate offences; harassment, stalking, threats and abuse; controlling or coercive behaviour; drugs and psychoactive substances; firearms, knives and other weapons; unlawful immigration and human trafficking; sexual exploitation of adults; extreme pornography and intimate-image abuse; proceeds of crime; fraud and financial-services offences; and foreign interference — and for other (non-priority) illegal content, we assess the likelihood as low for a niche, access-controlled, real-name aviation platform with no amplification features. The most conceivable vectors are general ones (e.g. an abusive message, a fraudulent link, or infringing branding), not platform-specific risks.
Controls in place.
Prohibition. Acceptable Use Policy §2 bans illegal content and priority-offence content, and bans using the Services to plan, recruit for, coordinate or facilitate illegal activity; §3 keeps content clean and professional.
Reporting. Anyone can report illegal content or conduct to help@vamsys.co.uk (Terms of Service §7.2; Acceptable Use Policy §2 and §13); we acknowledge and assess valid reports promptly and prioritise illegal-content reports.
Takedown and counter-notice — Terms of Service §7.3.
Enforcement with human review — remove/disable content, suspend or terminate accounts, remove or suspend VAs (Terms of Service §8), with notice and a right to human review (§8.3).
Hosting role and its limits — Terms of Service §7.1. Real-name accounts and access control further reduce risk.
Conclusion. Residual illegal-content risk is low and acceptable given these controls. This assessment is a dated record, reviewed per §6.
§3 Children's access assessment
Consistent with our age-assurance assessment: flight simulation has a real under-18 following, and there is a clear pathway into the hobby from the simulator games (Microsoft Flight Simulator, X-Plane and similar on PC and console). We therefore conclude the Services are likely to be accessed by a non-insignificant number of children (anyone under 18), despite the 18+ rule, and we do not rely on a "not likely to be accessed" argument. The children's-safety duties are engaged.
§4 Children's risk assessment
Step 1 — likelihood of access. Children are likely to access the Services (§3).
Step 2 — risk of harm, by category.
Primary Priority Content (pornography; content encouraging or assisting suicide, self-harm, or eating disorders): assessed very low / not present. The Services host no such content, the Acceptable Use Policy §2–§3 prohibits it, and there is no functionality for hosting or sharing such material.
Priority Content (bullying and abuse; hate; content depicting or encouraging serious violence; harmful substances; dangerous challenges/stunts; abusive content): low. The Acceptable Use Policy §3 (content standards) and §4 (respect for others) prohibit harassment, bullying, hate, threats and graphic violence; the community is closed-membership and real-name; and we remove offending content and accounts.
Non-Designated Content (other content presenting a material risk of significant harm to an appreciable number of children): low. The content is niche, operational and aviation-focused, with nothing designed to appeal to or harm children.
Step 3 — measures (proportionate to low risk). The clean, professional content standard (Acceptable Use Policy §3); removal of any under-18 account on discovery; protective-by-design data practices (data minimisation, no profiling, no targeted advertising, no special-category data); the reporting route in §5; and the documented escalation ladder of further age measures in the age-assurance assessment §5. We do not operate highly effective age assurance and judge it disproportionate for a service of this size and risk at present (see the age-assurance assessment).
Step 4 — conclusion. Residual risk to children is low, and the measures above are proportionate. This assessment is a dated record, reviewed per §6, and read together with the age-assurance assessment (which holds the access analysis and the escalation ladder).
§5 Reporting, complaints and escalation
Report illegal content or other content/conduct concerns: help@vamsys.co.uk (Terms of Service §7.2; Acceptable Use Policy §2 and §13).
Report content that infringes your rights: Terms of Service §7.3.
Challenge an enforcement decision: ask for human review (Terms of Service §8.3).
Wider complaints and dispute routes: Terms of Service §12.
§6 Governance, responsible person and review
Person responsible for online safety and children's safety: the Director of vAMSYS LTD (vAMSYS is a small operation with a sole director, who holds this responsibility). This record names that role so accountability is clear.
Senior review: the Director reviews these assessments and the safety measures at least annually, and additionally on any material change to the Services (new features, content types or user base) or on a relevant change in the OSA regime or Ofcom guidance.
This record is maintained by the data-protection / safety lead and approved by the Director.
Sign-off
| Record | OSA position + illegal-content risk assessment + children's access and risk assessments |
| Position | In-scope user-to-user service; small and low-risk; illegal-content and children's-safety duties addressed by the controls above; residual risk low/acceptable |
| Responsible person | Director, vAMSYS LTD (online safety and children's safety) |
| Owner of this record | Data-protection / safety lead, vAMSYS LTD |
| Approved by | Director, vAMSYS LTD |
| Date | [DATE — set on publication] |
| Next review | At least annually, and on any material change to the Services or the OSA regime |