Security

Your data security is our top priority

TLS / HTTPS
Provider-managed encryption at rest
Access control & session security

Assurance roadmap (procurement)

SOC 2 Type II: We are working toward an independent SOC 2 Type II examination. We do not claim SOC 2 certification, compliance, or an active report until we publish a third-party attestation or verification link. Enterprise and RFP contacts may request our current security overview and questionnaire responses at security@flowtivepro.com.

Data Encryption

We use industry-leading encryption to protect your data:

  • In Transit: All data is encrypted using TLS 1.3 with 256-bit encryption
  • At Rest: AES-256 encryption for all stored data
  • Database: Encrypted database connections with certificate verification

Infrastructure Security

  • Hosted on enterprise-grade cloud infrastructure
  • Multi-region data replication for disaster recovery
  • DDoS protection and WAF (Web Application Firewall)
  • Regular vulnerability scanning and penetration testing
  • 24/7 infrastructure monitoring and alerting

Access Control

  • Role-based access control (RBAC)
  • Single Sign-On (SSO) with SAML 2.0 and OAuth
  • Two-factor authentication (2FA)
  • SCIM provisioning for enterprise
  • Session management and automatic timeout

Compliance & assurance

We do not display ISO 27001, HIPAA, or other certifications without a public certificate ID, audit report, or verifier link. For DPAs, subprocessors, and security questionnaires, contact security@flowtivepro.com.

  • SOC 2 Type II: Same as the roadmap callout above—in progress, not attested on this page. We will update this site when we can link to evidence.
  • ISO 27001: We do not claim certification. Controls may be described against common frameworks in diligence materials on request.
  • GDPR: Described in our Privacy Policy. Cross-border safeguards (e.g. SCCs) are available for review for enterprise customers.
  • HIPAA: No HIPAA BAA or “HIPAA compliant” offering unless explicitly named in your contract.

Data Residency

Production data is processed using our cloud providers’ regions as configured for your deployment. Dedicated residency, BYOC, or region selection may be available for certain enterprise agreements—confirm in your order or contact sales.

  • Default hosting follows the regions offered by our infrastructure vendors (see Privacy Policy).
  • Custom or contractual residency options are not guaranteed for all plans.

Security Practices

  • Regular security training for all employees
  • Background checks for team members with data access
  • Incident response plan with 24-hour notification
  • Regular backup testing and disaster recovery drills

Audit Logs

Comprehensive audit logging for enterprise accounts:

  • User activity tracking
  • Data access logs
  • Administrative action history
  • Exportable logs for compliance
  • 1-year log retention

Report a Vulnerability

We welcome responsible disclosure of security vulnerabilities. Please report any security issues to:

Email: security@flowtivepro.com

We commit to acknowledging reports within 24 hours and providing updates on remediation progress.

We do not operate a paid bug bounty program. Researchers acting in good faith and following coordinated disclosure will not be pursued for accidental, non-destructive testing that respects user privacy.

Machine-readable contact: /.well-known/security.txt