Security

Our Commitment to Security

Security is fundamental to FlowBridge. We implement industry-standard practices to protect your data, workflows, and API credentials. This page outlines our security measures and how to report vulnerabilities.

Infrastructure Security

Data Encryption

  • In Transit: All data transmitted uses TLS 1.3 encryption
  • At Rest: Sensitive data encrypted using AES-256
  • API Credentials: Encrypted with separate encryption keys
  • Database: PostgreSQL with encrypted volumes

Hosting and Compliance

  • All servers located in EU data centers
  • GDPR-compliant data handling by default
  • Regular security patches and updates
  • Isolated network environments
  • DDoS protection and rate limiting

Access Control

  • Multi-factor authentication (MFA) available
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Automatic session expiration
  • Audit logging of all access

Application Security

Secure Development

  • Code reviews for all changes
  • Static code analysis (PHPStan, ESLint)
  • Dependency vulnerability scanning
  • Security-focused testing procedures
  • Regular penetration testing

Runtime Protection

  • Input validation and sanitization
  • SQL injection prevention
  • XSS (Cross-Site Scripting) protection
  • CSRF (Cross-Site Request Forgery) tokens
  • Rate limiting and throttling

Data Protection

API Credential Management

Third-party API credentials you provide are handled with extreme care:

  • Encrypted immediately upon receipt
  • Never logged or displayed in plaintext
  • Accessed only when executing workflows
  • Separate encryption keys per customer
  • Automatic rotation capabilities

Workflow Data

  • Execution logs retained for 90 days
  • Sensitive data masked in logs
  • Optional end-to-end encryption for workflows
  • Data residency controls (EU-only storage)

Backups

  • Automated daily encrypted backups
  • 30-day backup retention
  • Backup integrity verification
  • Disaster recovery procedures tested quarterly

Monitoring and Response

24/7 Monitoring

  • Real-time security event monitoring
  • Automated alerting for anomalies
  • Intrusion detection systems
  • Performance and availability monitoring

Incident Response

  • Documented incident response procedures
  • Rapid response team on-call
  • Customer notification within 72 hours of breach
  • Post-incident reviews and improvements

Compliance and Certifications

Current Compliance

  • GDPR (General Data Protection Regulation)
  • Data Protection Act 2018 (UK)
  • PCI DSS (via payment processor)

Planned Certifications

  • SOC 2 Type II (Target: Q4 2026)
  • ISO 27001 (Target: 2027)

Vulnerability Reporting

We appreciate responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us immediately.

How to Report

Email: security@flowbridge.dev

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Suggested remediation (if known)

Our Commitment

  • Acknowledge receipt within 24 hours
  • Provide regular updates on remediation progress
  • Credit researchers in security advisories (if desired)
  • No legal action against good-faith security researchers

Responsible Disclosure Guidelines

  • Do not access or modify customer data
  • Do not perform destructive testing
  • Do not publicly disclose before we've addressed the issue
  • Give us reasonable time to fix (typically 90 days)

Security Best Practices for Users

  • Enable multi-factor authentication (MFA)
  • Use strong, unique passwords
  • Review API credentials regularly
  • Limit workflow permissions to minimum necessary
  • Monitor workflow execution logs
  • Report suspicious activity immediately

Security Updates

We will publish security advisories for vulnerabilities that may affect users. Subscribe to security notifications at security@flowbridge.dev

Last updated: September 30, 2025
Questions? Contact security@flowbridge.dev