Last updated: June 16, 2026

Security

Flowtux ingests signals from the tools your team already uses, stores integration credentials, and can run remediation actions on enrolled devices. Because that is sensitive, security is designed into the platform across infrastructure, application controls, access governance, and operational process. This page describes the controls in place today. For how we handle personal data, see our Privacy Policy and Data Processing Agreement.

Infrastructure & Hosting

Production services run on Google Cloud Platform and Microsoft Azure, with data residing in the United States (Google Cloud) and India (Azure). We rely on provider-level physical, network, and platform security, with network segmentation, isolated environments, and continuous monitoring. Backups are automated and encrypted.

Encryption

  • Data in transit is encrypted using TLS 1.2 or higher.
  • Integration credentials and sensitive data at rest are encrypted using AES-256-GCM.
  • Third-party integration secrets are held in an encrypted credential store with restricted access.

Authentication & Access Control

  • Sign-in via email and password or Google OAuth, with signed session tokens.
  • Role-based access control across member, admin, and workspace-admin roles, enforced on the principle of least privilege.
  • Email verification for new accounts and automatic account lockout after repeated failed sign-in attempts.
  • Granular, per-team permissions governing what each member can read and change.

Enterprise SSO & Provisioning

  • SAML 2.0 single sign-on with Okta, Microsoft Entra ID, and Google Workspace.
  • SCIM 2.0 provisioning — users are created and deprovisioned automatically from your identity provider.
  • Enforce SSO per domain to require IdP login and disable password sign-in.
  • Just-in-time provisioning with role mapping on first login.

Application & Integration Security

  • Inbound webhooks are verified with HMAC signatures using timing-safe comparison and timestamp windows to prevent forgery and replay.
  • Integrations connect over OAuth 2.0 with scoped, least-privilege permissions and automatic token refresh.
  • External input is validated before processing, and database access uses parameterized queries.
  • Each organization's data is logically isolated and access-scoped to that organization.

Device Agent Security

The optional device agent can run remediation actions, but only from a fixed, allow-listed set of safe commands (for example flushing DNS or restarting a service) — it cannot execute arbitrary commands. Each action runs as a tracked job with an acknowledgement and timeout, and every executed command is logged for accountability. This default-deny design keeps automated remediation within a bounded, auditable scope.

Monitoring & Audit Logging

We run continuous error and performance monitoring with security alerting. Administrative and privacy-relevant operations — including data exports, erasures, consent changes, and access events — are written to an append-only audit trail to support accountability and investigation.

Data Privacy & Retention

  • We do not sell personal data and do not use customer data to train foundation models.
  • Account holders can export their data, manage consent, and request erasure from in-product privacy settings.
  • Erasure anonymizes identifiers in records kept as legitimate business records and permanently removes strictly personal data.
  • Configurable retention policies let administrators automatically purge data past a defined window.

Secure Development

Changes go through code review, dependency management, and staged deployment before reaching production. Secrets and credentials are kept out of source control and managed through environment configuration and the encrypted credential store.

Compliance

Our practices are aligned with the GDPR, the UK GDPR, and India's Digital Personal Data Protection Act, and a Data Processing Agreement with Standard Contractual Clauses is available to customers. A SOC 2 Type II audit is in progress; we do not claim certification until it is complete. For current documentation or a security questionnaire, contact our team.

Incident Response

We maintain documented incident-handling procedures covering detection, triage, containment, remediation, and customer communication. In the event of a personal data breach affecting customer data, we notify affected customers without undue delay and in any event within 72 hours of becoming aware.

Responsible Disclosure

If you discover a vulnerability, please report it to security@flowtux.com and allow us reasonable time to investigate and remediate before public disclosure. We do not pursue legal action against good-faith research conducted in line with this policy.