Security

Your data deserves bank-grade protection.

Flowstack is built on enterprise-grade infrastructure with end-to-end encryption, two-factor authentication, and SOC 2 compliant hosting. Your business data is never exposed.

AES-256 encryption at rest

TLS 1.2+ in transit

SOC 2 Type 2 infrastructure

ISO 27001 certified

AES-256

Data encryption

TLS 1.2+

Transport security

99.99%

Uptime SLA

Automatic

DDoS protection

ACCOUNT SECURITY

Bank-grade login protection.

Every Flowstack account is secured with verified email authentication and optional two-factor authentication — the same standards used by financial institutions.

✉ EMAIL AUTHENTICATION

Verified email login

Every account is verified at signup. No fake emails, no ghost accounts. Google OAuth users are auto-verified for frictionless onboarding.

✉Email verification on signup — Verification email via Resend. Account locked until confirmed.

🔍Google OAuth integration — Sign in with Google — auto-verified, no password needed.

🔐Session-based authentication — Secure session tokens with automatic expiry. Active session management in Settings.

✕Revoke sessions remotely — View all active sessions and revoke any device from Settings → Security.

🛡 TWO-FACTOR AUTHENTICATION

TOTP 2FA protection

Add a second layer of security with Google Authenticator or any TOTP app. Every login requires your password plus a 6-digit time-based code.

📱Google Authenticator compatible — Scan a QR code in Settings → Security. Works with any TOTP app.

#6-digit time-based codes — Codes rotate every 30 seconds. Required on every login after password.

🔑8 backup recovery codes — One-time use codes for when you lose your device. Stored hashed, not in plaintext.

⏱Rate limiting on attempts — Brute-force protection with exponential backoff on failed 2FA entries.

INFRASTRUCTURE SECURITY

Built on certified infrastructure.

Flowstack runs on Vercel's edge network with Neon PostgreSQL — both SOC 2 Type 2 certified, ISO 27001 audited, and regularly pen-tested by independent third parties.

▲

Vercel Edge Network

Our application layer runs on Vercel — the same infrastructure trusted by OpenAI, PayPal, and The Washington Post. Automatic DDoS mitigation, Web Application Firewall, and edge-localised protection at every point of presence.

SOC 2 Type 2ISO 27001PCI DSSHIPAAGDPR

Neon PostgreSQL

All customer data is stored in Neon's serverless PostgreSQL — encrypted at rest with AES-256, encrypted in transit with TLS 1.2+, with AWS KMS key management and automatic key rotation.

SOC 2 Type 2ISO 27001ISO 27701HIPAAGDPR

🔒

End-to-End Encryption

Every byte of data is encrypted — at rest with AES-256, in transit with TLS 1.2+. Sensitive secrets like 2FA keys are encrypted with AES-256-CBC before storage. API keys are hashed, never stored in plaintext.

AES-256 at restTLS 1.2+ in transitHMAC signing

DATA HANDLING

Your data. Your control.

We follow the principle of least privilege across everything — from API scopes to internal access.

📧

Read-only Gmail access

Unlike competitors that request delete and send permissions, Flowstack only asks for gmail.readonly. We can never modify, delete, or send emails on your behalf.

🗑

Delete your data anytime

Full account deletion with type-to-confirm safety. When you delete, everything goes — contacts, emails, forms, submissions. No shadow copies.

🔐

API keys are hashed

Engine API keys are hashed before storage using SHA-256. Even in a breach scenario, raw keys cannot be recovered from the database.

🔏

Webhook signatures

All webhook deliveries are HMAC-signed so your endpoint can verify that payloads genuinely originated from Flowstack — not a third party.

👥

Role-based access

Workspace roles (Owner, Admin, Member) with granular permissions. Control who can invite members, manage billing, delete data, or access API keys.

🤖

reCAPTCHA v3 protection

Public forms are protected by invisible reCAPTCHA v3 — scoring-based bot detection with no friction for real users. Keeps spam and automated abuse out.

SECURITY CHECKLIST

What we've done. What's next.

✓

AES-256 encryption at restLIVE

All data encrypted on disk via Neon/AWS KMS

✓

TLS 1.2+ encryption in transitLIVE

All connections secured via HTTPS/TLS

✓

Google OAuth sign-inLIVE

Passwordless login via Google, auto-verified

✓

Session management & remote revocationLIVE

View and revoke active sessions from Settings → Security

✓

DDoS protectionLIVE

Automatic mitigation via Vercel Edge Network

✓

HMAC webhook signaturesLIVE

Verify webhook authenticity on your endpoint

✓

Role-based access controlLIVE

Owner / Admin / Member permissions per workspace

✓

reCAPTCHA v3 on public formsLIVE

Invisible bot protection on all published forms

→

Email verification on signupSHIPPING SOON

Verification email via Resend, account locked until confirmed

→

TOTP two-factor authenticationSHIPPING SOON

Google Authenticator / TOTP app with backup codes

Security questions?

If you have specific security or compliance requirements, we're happy to discuss them.