Security
FlowStack is built with security at every layer. This page covers our security practices and the security features available to you.
Data Encryption
At Rest
- All data is encrypted at rest using AES-256 encryption
- Database storage uses encrypted volumes
- Connection credentials (OAuth tokens, API keys) are encrypted with a separate key
In Transit
- All communication uses TLS 1.3
- API endpoints enforce HTTPS — HTTP requests are rejected
- Internal service communication uses mutual TLS
Authentication Security
- Password requirements — Minimum 8 characters, must include uppercase, lowercase, and a number
- Account lockout — After 10 failed login attempts, the account is locked for 30 minutes
- Session management — Sessions expire after 24 hours of inactivity
- API key security — Keys are hashed before storage, only the last 4 characters are displayed
Infrastructure
- Hosted on enterprise-grade cloud infrastructure
- Multi-region deployment with automatic failover
- DDoS protection at the network edge
- Web Application Firewall (WAF) for common attack vectors
- Regular penetration testing by third-party security firms
Compliance
| Standard | Status |
|---|---|
| SOC 2 Type II | Compliant |
| GDPR | Compliant |
| CCPA | Compliant |
| HIPAA | Available on Enterprise (with BAA) |
Security Features by Plan
| Feature | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| TLS 1.3 encryption | Yes | Yes | Yes | Yes |
| AES-256 at-rest encryption | Yes | Yes | Yes | Yes |
| SSO / SAML | No | No | No | Yes |
| Audit logs | No | No | 30 days | 1 year |
| IP allowlisting | No | No | No | Yes |
| Custom data retention | No | No | No | Yes |
| Dedicated infrastructure | No | No | No | Yes |
| HIPAA compliance (BAA) | No | No | No | Yes |
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly:
- Email: security@onflowstack.com
- We acknowledge reports within 24 hours
- We aim to resolve critical vulnerabilities within 72 hours
- We do not pursue legal action against good-faith security researchers
Best Practices for Users
- Use strong, unique passwords for your FlowStack account
- Enable SSO (Enterprise) to leverage your organization's identity provider
- Use read-only API keys when write access isn't needed
- Rotate API keys every 90 days
- Review audit logs regularly for unexpected activity
- Use separate projects to isolate sensitive automations
- Don't hardcode credentials in Code nodes — use connections or environment variables instead