Security at Flowframe

OVERVIEW

Flowframe implements enterprise-grade security measures to protect your data. This page details our comprehensive security architecture, compliance certifications, and best practices.

Key Security Highlights:

• 🔒 Dual Architecture: Secure server-based DB queries + client-side file processing
• 🔐 End-to-End Encryption: TLS 1.3 in transit, AES-256 at rest
• 🇪🇺 EU Data Residency: Hosted in London, UK (GDPR-compliant)
• ✅ Zero Trust Architecture: Principle of least privilege enforced
• 📋 Compliance: GDPR-compliant
• 🗑️ Immediate Deletion: Uploaded files deleted instantly on request (no backups)

---

TABLE OF CONTENTS

1. Architecture Security
2. Encryption
3. Infrastructure and Hosting
4. Access Controls
5. Application Security
6. Network Security
7. Personnel Security
8. Data Backup and Recovery
9. Incident Response
10. Compliance and Certifications
11. Third-Party Security
12. Security Monitoring
13. Vulnerability Management
14. Security Best Practices for Customers
15. Security Roadmap
16. Reporting Security Issues

---

1. ARCHITECTURE SECURITY

1.1 Dual Processing Architecture

Flowframe uses two distinct architectures for maximum security and flexibility:

Architecture 1: Cloud Database Connections

For cloud databases (PostgreSQL, MySQL, SQL Server, etc.):

Your Database → Flowframe Servers → Secure Connection → Query Execution → Results to Browser
                ✅ Encrypted transit (TLS 1.3)
                ✅ Results transient (not stored)
                ⚠️ Results pass through our servers
                ✅ Enhanced security & firewall compatibility

Security Measures:

• Database credentials encrypted end-to-end
• Queries executed through secure proxy servers
• Results transmitted but NOT stored (transient only)
• Connection pooling with strict isolation
• IP whitelisting support for customer firewalls

Why Through Servers:

• ✅ Secure tunneling and connection management
• ✅ Firewall compatibility (easier to whitelist Flowframe IPs)
• ✅ Connection pooling for team collaboration
• ✅ Credential rotation and management

Architecture 2: File Uploads

For uploaded files (CSV, Parquet, JSON):

Your File → Client-Side Processing (DuckDB WASM) → Encrypted Storage (DigitalOcean Spaces)
           ✅ Processed in browser first
           ✅ AES-256 encryption at rest
           ⚠️ Flowframe has access (Data Processor)
           ✅ Immediate deletion on request

Security Measures:

• Files processed client-side with DuckDB WASM before upload
• Encrypted with AES-256 server-side encryption in DigitalOcean Spaces
• Stored in London, UK datacenter (GDPR-compliant)
• No backups created (primary storage only)
• Immediate deletion when user requests removal
• Access strictly limited to authorized personnel

1.2 What We Store vs. What Stays Local

Data Type	Storage Location	Encryption	Can Flowframe Access?	Duration
Query results (cloud DB)	Browser cache only	N/A (transient on servers)	⚠️ Transient access during transmission	Not stored
Query results (file uploads)	Browser cache only	N/A	❌ NO - client-side only	Session only
Uploaded file contents	DigitalOcean Spaces	AES-256 at rest	⚠️ YES - we are Data Processor	Until deletion
Database credentials	Browser + Servers	AES-256 + TLS 1.3	⚠️ YES - encrypted at rest	Until you remove connection
SQL query text	Our servers	AES-256 at rest	✅ YES - for version history	Until project deletion
Metadata descriptions	Our servers	AES-256 at rest	✅ YES - for AI and collaboration	Until project deletion
Account credentials	Our servers	Bcrypt hashed	✅ YES - but password hashed (we can't see plaintext)	Until account deletion
Collaboration state	Our servers	AES-256 at rest	✅ YES - for real-time editing	Until project deletion

Key Security Principles:

• Query Results: Not stored on servers (cloud DB queries pass through transiently)
• File Uploads: Encrypted at rest, access controlled and logged
• Database Credentials: Encrypted end-to-end, never logged
• Zero Backups: Uploaded files have no backup copies (immediate deletion)

1.3 DuckDB WASM Security (File Processing)

DuckDB WebAssembly (WASM) executes file queries in your browser:

• ✅ Sandboxed environment (browser security sandbox)
• ✅ No network access for query execution
• ✅ Cannot access your filesystem (except browser local storage)
• ✅ Memory isolation from other browser tabs
• ✅ Open-source (MIT License) - auditable by security researchers
• ✅ Processing happens before files are encrypted and uploaded

1.4 Benefits of Our Architecture

Security Benefits:

• 🔒 Defense in Depth: Multiple layers of encryption and access control
• 🛡️ Minimal Data Retention: Query results not stored, files deleted immediately on request
• 🚫 Breach Mitigation: Query results transient (not affected by server breach)
• 🔐 Encryption Everywhere: TLS 1.3 in transit, AES-256 at rest
• 📝 Access Logging: All access to uploaded files logged and monitored
• 🗑️ Right to Erasure: Immediate deletion (no backup recovery period)

Performance Benefits:

• ⚡ Faster File Analysis: Client-side DuckDB WASM for file queries
• 🌐 Persistent Storage: Files available across sessions (unlike pure client-side)
• 💰 Cost-Effective: Secure cloud storage with no backup overhead

Compliance Benefits:

• ✅ GDPR-Ready: Data Processing Agreement available, EU storage location
• ✅ Right to Deletion: Immediate file deletion (no recovery period)
• ✅ Data Portability: Export your files anytime
• ✅ Transparency: Clear documentation of what we store and access

---

2. ENCRYPTION

2.1 Data in Transit

All data transmitted between your browser and Flowframe servers is encrypted:

Protocol	Version	Cipher Suites	Certificate
TLS	1.3 (latest)	AES-256-GCM, ChaCha20-Poly1305	SHA-256 signed from trusted CA
HTTPS	Forced (HSTS enabled)	Perfect Forward Secrecy	2048-bit RSA / ECC
WebSocket	Secure (WSS)	TLS 1.3	Same as HTTPS

Features:

• ✅ Perfect Forward Secrecy: Past sessions protected even if keys compromised
• ✅ HSTS (HTTP Strict Transport Security): Prevents downgrade attacks
• ✅ Certificate Pinning: Mobile apps (planned) pin certificates for extra security
• ✅ No Downgrade: TLS 1.0, 1.1, 1.2 disabled (only TLS 1.3 allowed)

Testing: Qualys SSL Labs Grade: A+ (target)

2.2 Data at Rest

All data stored on our servers is encrypted:

Data Type	Encryption Algorithm	Key Management	Key Rotation
Database (PostgreSQL)	AES-256-CBC	PostgreSQL pgcrypto	Annually
Backups	AES-256-GCM	Separate encryption keys	Annually
File Storage	AES-256	DigitalOcean Block Storage Encryption	Managed by DO
Logs	AES-256	Application-level encryption	Quarterly

Key Management:

• 🔑 Encryption keys stored separately from encrypted data
• 🔑 Key rotation: Annual rotation for database encryption keys
• 🔑 Access controls: Only authorized personnel can access keys
• 🔑 Audit logging: All key access logged

2.3 Password Security

Your password is NEVER stored in plaintext:

Step	Method	Security Level
Hashing Algorithm	Bcrypt	Industry standard
Salt	Randomly generated per password	Unique per user
Rounds	12 (cost factor)	~300ms to hash (slows brute force)
Storage	Hashed password only	We cannot see your plaintext password

What this means:

• ✅ If our database is compromised, attackers get hashed passwords only
• ✅ Bcrypt is designed to be slow - makes brute force attacks impractical
• ✅ Salt prevents rainbow table attacks - each password hashed differently
• ✅ We cannot recover your password - only reset it

Password Requirements:

• Minimum 8 characters (12+ strongly recommended)
• Complexity: Mix of uppercase, lowercase, numbers recommended
• No maximum length (up to 72 characters due to bcrypt limit)
• No password expiration (industry best practice - forced rotation leads to weaker passwords)

2.4 Database Credential Encryption

Database credentials are encrypted end-to-end:

Storage Location	Encryption Method	Protection	Accessibility
In Transit (Browser to Servers)	TLS 1.3 (AES-256-GCM)	Perfect Forward Secrecy	Encrypted during transmission
At Rest (Flowframe Servers)	AES-256	Encrypted in database	Flowframe (encrypted, access logged)

Protection:

• 🔐 End-to-End Encryption - encrypted in transit via TLS 1.3
• 🔐 Encrypted at Rest - stored encrypted on Flowframe servers with AES-256
• 🔐 Access Logged - all credential access monitored and logged
• 🔐 Secure Transmission - never sent unencrypted

Recommendations:

• ✅ Use read-only database credentials when possible
• ✅ Enable database firewall / IP whitelisting
• ✅ Rotate credentials every 90 days
• ✅ Don't reuse database passwords

---

3. INFRASTRUCTURE AND HOSTING

3.1 Hosting Provider

Primary Host: DigitalOcean Data Center: LON1 (London, United Kingdom) Reason: EU data residency for GDPR compliance, low latency for European customers

Resource	Configuration	Security Features
Compute	Managed Kubernetes (DOKS)	Auto-patching, isolated nodes
Database	Managed PostgreSQL	Automated backups, encryption, VPC isolation
Storage	Block Storage Volumes	AES-256 encryption, redundancy
Networking	Virtual Private Cloud (VPC)	Isolated network, firewall rules

3.2 Infrastructure Security

Network Isolation:

• ✅ VPC (Virtual Private Cloud): Database servers in private network with NO public internet access
• ✅ Jump hosts required for admin access (not direct SSH to production)
• ✅ Bastion host with MFA for privileged access
• ✅ Private DNS for internal service discovery

Compute Security:

• ✅ Container security: Docker images scanned for vulnerabilities
• ✅ Minimal base images: Alpine Linux (smaller attack surface)
• ✅ Immutable infrastructure: Containers replaced, not patched (prevents configuration drift)
• ✅ Resource limits: CPU/memory limits prevent resource exhaustion attacks

Database Security:

• ✅ No public IP: Database accessible only from app servers in VPC
• ✅ Firewall rules: Only specific ports open
• ✅ SSL/TLS required: Client connections must use TLS

3.3 Physical Security (Data Center)

DigitalOcean LON1 Data Center features:

• 🏢 24/7 Security Guards: On-site personnel
• 📷 Surveillance Cameras: CCTV monitoring all access points
• 🔑 Biometric Access Control: Fingerprint/retina scanners
• 🚪 Mantrap Entrances: Dual-door access (one door must close before other opens)
• 🔥 Fire Suppression: Advanced fire detection and suppression systems
• ⚡ Uninterruptible Power Supply (UPS): Backup generators for power outages
• ❄️ Climate Control: HVAC systems maintain optimal temperature

Compliance: DigitalOcean data centers are ISO 27001, SOC 2 Type II certified.

3.4 Geographic Redundancy (Planned)

Current (Beta):

• Single region: London, UK (LON1)

Planned (Post-GA):

• Secondary region: New York (NYC3)
• Cross-region replication: Real-time database replication
• Automatic failover: If primary region fails, automatic switch to secondary
• Enterprise customers: Choose primary region (US, EU, APAC)

---

4. ACCESS CONTROLS

4.1 User Authentication

Login Security:

• ✅ Email + Password: Industry-standard authentication
• ✅ Account Lockout: After 5 failed login attempts (30-minute lockout)
• ✅ Session Timeout: Automatic logout after 24 hours of inactivity
• ✅ Secure Session Cookies: HTTP-only, SameSite=Lax, Secure flag
• ✅ Two-Factor Authentication (2FA): TOTP-based MFA (planned Q2 2026)

Planned Enhancements (Q2 2026+):

• 🚧 SSO / SAML: Single Sign-On for Enterprise customers
• 🚧 OAuth 2.0: Social login (Google, Microsoft)
• 🚧 Passkeys / WebAuthn: Passwordless authentication
• 🚧 Hardware Security Keys: FIDO2 / YubiKey support

4.2 Role-Based Access Control (RBAC)

Workspace Roles:

Role	Permissions	Use Case
Owner	Full control (manage billing, delete workspace, all admin functions)	Workspace creator, billing admin
Admin	Manage users, projects, settings (cannot delete workspace or change billing)	Team manager
Developer	Create/edit projects, run queries, collaborate	Data analysts, engineers
Explorer	View projects, run read-only queries, cannot edit	Stakeholders, product managers
Viewer	View projects only, cannot run queries or edit	Executives, external stakeholders

Permission Matrix:

Action	Owner	Admin	Developer	Explorer	Viewer
Create projects	✅	✅	✅	❌	❌
Edit projects	✅	✅	✅	❌	❌
Delete projects	✅	✅	✅	❌	❌
Run queries	✅	✅	✅	✅ (read-only)	❌
View projects	✅	✅	✅	✅	✅
Add team members	✅	✅	❌	❌	❌
Manage billing	✅	❌	❌	❌	❌
Delete workspace	✅	❌	❌	❌	❌

4.3 Administrative Access (Flowframe Personnel)

Principle of Least Privilege:

• 🔒 Only 2 senior engineers have production access
• 🔒 No customer support access to production systems
• 🔒 Temporary elevated access for debugging (time-limited, logged)
• 🔒 MFA required for all access
• 🔒 Audit logging of all admin actions

Access Tiers:

Tier	Access Level	Who	MFA Required	Audit Logging
Level 1 - Support	Read-only account info (email, name, billing status)	Customer support	✅ Yes	✅ Yes
Level 2 - Engineering	Anonymized logs, debugging data (no PII)	Engineers	✅ Yes	✅ Yes
Level 3 - Admin	Full production access (emergency only)	CTO, Lead Engineer	✅ Yes	✅ Yes

Limited Access to Your Data:

• ❌ Flowframe personnel cannot access your business data (query results are transient, not stored)
• ❌ Even with admin access, we only see SQL query text, not query results
• ⚠️ Database credentials are encrypted at rest - access restricted to authorized personnel only and fully logged

4.4 API Security

API Authentication:

• 🔑 API Keys: Long, randomly generated keys (256-bit entropy)
• 🔑 Key Rotation: Customers can rotate keys anytime
• 🔑 Scoped Permissions: Keys can be scoped to specific workspaces/projects
• 🔑 Rate Limiting: 100 req/min (Free), 1,000 req/min (Pro), custom (Enterprise)

API Security Features:

• ✅ HTTPS Only: All API requests require TLS
• ✅ CORS Policies: Strict Cross-Origin Resource Sharing rules
• ✅ Request Signing: HMAC request signatures (Enterprise API)
• ✅ IP Whitelisting: Enterprise customers can whitelist IPs
• ✅ OAuth 2.0: Planned for third-party integrations (Q2 2026)

---

5. APPLICATION SECURITY

5.1 Secure Development Lifecycle

Development Practices:

• ✅ Code Reviews: All code reviewed before merging (2-person approval)
• ✅ Security Training: Annual secure coding training for all engineers
• ✅ Dependency Scanning: Automated scanning for vulnerable dependencies (GitHub Dependabot)
• ✅ Static Analysis: Automated code security scanning (ESLint security rules, Semgrep)
• ✅ Secret Scanning: Pre-commit hooks prevent accidental commit of secrets
• ✅ CI/CD Security: Secure build pipelines with signed artifacts

Deployment:

• ✅ Staging Environment: All changes tested in staging before production
• ✅ Blue-Green Deployment: Zero-downtime deployments
• ✅ Rollback Capability: Can revert to previous version within minutes
• ✅ Canary Deployments: Gradual rollout to subset of users first

5.2 OWASP Top 10 Protection

Flowframe implements protections against OWASP Top 10 vulnerabilities:

Vulnerability	Protection
1. Broken Access Control	RBAC, server-side permission checks, deny-by-default
2. Cryptographic Failures	TLS 1.3, AES-256, bcrypt, no sensitive data in logs
3. Injection	Parameterized queries, input validation, prepared statements
4. Insecure Design	Threat modeling, security architecture reviews
5. Security Misconfiguration	Infrastructure-as-code, automated security configs
6. Vulnerable Components	Dependency scanning, automated updates, SCA tools
7. Authentication Failures	Bcrypt, MFA (planned), session management, account lockout
8. Software/Data Integrity	Code signing, SRI for CDN assets, immutable infrastructure
9. Logging/Monitoring Failures	Centralized logging, real-time alerts, SIEM (planned)
10. SSRF	Whitelist allowed domains, network isolation, input validation

5.3 Input Validation and Sanitization

All user input is validated:

• ✅ Server-Side Validation: Never trust client-side validation alone
• ✅ Whitelist Approach: Allow known-good input, reject everything else
• ✅ Length Limits: All text fields have maximum lengths
• ✅ Type Checking: Strict type validation (TypeScript on frontend, backend)
• ✅ SQL Injection Prevention: Parameterized queries, prepared statements
• ✅ XSS Prevention: Output encoding, Content Security Policy (CSP)
• ✅ CSRF Protection: Anti-CSRF tokens on all state-changing requests

Content Security Policy (CSP):

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'wasm-unsafe-eval';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  connect-src 'self' https://api.flowframe.io;
  frame-ancestors 'none';
  base-uri 'self';
  form-action 'self';

XSS Protection:

• ✅ React Auto-Escaping: React escapes output by default
• ✅ DOMPurify: Sanitize HTML before rendering (if rendering user HTML)
• ✅ CSP: Blocks inline scripts, restricts script sources

---

6. NETWORK SECURITY

6.1 Firewalls

Cloud Firewall (DigitalOcean):

• ✅ Inbound Rules: Only required ports are open
• ✅ Outbound Rules: Allow only necessary outbound connections
• ✅ Default Deny: All traffic denied by default, explicitly allow only necessary
• ✅ Geo-Blocking: Block traffic from high-risk countries (optional for Enterprise)

Web Application Firewall (WAF):

• ✅ OWASP ModSecurity Rules: Core rule set for common attacks
• ✅ Rate Limiting: Limit requests per IP (prevents brute force, DDoS)
• ✅ IP Reputation: Block known malicious IPs
• ✅ Bot Detection: Identify and block malicious bots

6.2 DDoS Protection

Protection Layers:

• 🛡️ Layer 3/4 DDoS: DigitalOcean Cloud Firewall (automatic mitigation)
• 🛡️ Layer 7 DDoS: Application-level rate limiting, CAPTCHA challenges
• 🛡️ CDN: Cloudflare (planned) for edge caching and DDoS mitigation

Mitigation Strategies:

• ✅ Rate Limiting: Per-IP, per-user, per-API key
• ✅ Auto-Scaling: Kubernetes auto-scaling for traffic spikes
• ✅ Traffic Analysis: Real-time monitoring for anomalous traffic patterns

6.3 Network Segmentation

VPC Segmentation:

┌─────────────────────────────────────────────────────────┐
│ Internet                                                 │
└────────────────┬────────────────────────────────────────┘
                 │
         ┌───────▼───────┐
         │ Load Balancer │ (Public IP)
         └───────┬───────┘
                 │
    ┌────────────▼────────────┐
    │ Application Tier (VPC)  │ (Private IPs)
    │ - Web Servers           │
    │ - API Servers           │
    └────────────┬────────────┘
                 │
      ┌──────────▼──────────┐
      │ Database Tier (VPC) │ (Private IPs, No Internet)
      │ - PostgreSQL        │
      │ - Redis Cache       │
      └─────────────────────┘

Benefits:

• 🔒 Database Isolation: No public internet access to database
• 🔒 Lateral Movement Prevention: If app server compromised, limited access to database
• 🔒 Blast Radius Reduction: Compromise contained to one tier

---

7. PERSONNEL SECURITY

7.1 Background Checks

For all employees with access to production systems or customer data:

• ✅ Employment Verification: Confirm previous employment
• ✅ Criminal Background Check: Check for criminal history
• ✅ Reference Checks: Contact provided references

Timing: Before granting production access

7.2 Confidentiality Agreements

All personnel sign:

• ✅ Employment Agreements: Include data protection and confidentiality clauses
• ✅ Non-Disclosure Agreements (NDAs): For contractors and vendors
• ✅ GDPR Confidentiality Commitments: Specific GDPR obligations

Obligations Survive: Confidentiality obligations continue after employment ends

7.3 Security Training

Mandatory Training:

• 📚 Onboarding Security Training: All new employees (within first week)
• 📚 Annual GDPR Training: All personnel with data access (yearly refresh)
• 📚 Annual Security Awareness: Phishing, social engineering, password security
• 📚 Incident Response Training: How to report and respond to security incidents

Phishing Simulations:

• 🎣 Quarterly Simulations: Test employee awareness
• 🎣 Targeted Training: Employees who click receive additional training

7.4 Access Termination

When employee leaves or role changes:

• ⏱️ Immediate Access Revocation: Within 1 hour of termination/role change
• ⏱️ Device Return: Company devices returned or remotely wiped
• ⏱️ Password Changes: Shared passwords rotated
• ⏱️ Exit Interview: Review confidentiality obligations

---

8. DATA BACKUP AND RECOVERY

8.1 Backup Strategy

Automated Backups:

Type	Frequency	Retention	Encryption	Location
Incremental	Daily (2 AM UTC)	30 days	AES-256	Same region (London)
Full Backup	Weekly (Sunday)	30 days	AES-256	Same region (London)
Database Snapshots	Before every deployment	7 days	AES-256	Same region

What's Backed Up:

• ✅ Database (PostgreSQL) - Account data, metadata, collaboration state
• ✅ User-uploaded configurations
• ✅ Application configurations

What's NOT Backed Up:

• ❌ Your actual business data (stays in your database)
• ❌ Uploaded files (deleted immediately, no backups created)
• ❌ Query results (transient only, not stored)

8.2 Disaster Recovery

Recovery Objectives:

• RPO (Recovery Point Objective): Maximum 24 hours of data loss
• RTO (Recovery Time Objective): Service restoration within 4 hours

Disaster Scenarios:

Scenario	Recovery Plan	RTO
Single server failure	Kubernetes auto-replaces	< 5 minutes
Database corruption	Restore from latest backup	< 1 hour
Data center failure	Manual failover to secondary region (planned)	< 4 hours
Complete compromise	Restore from immutable backups	< 4 hours

Backup Testing:

• ✅ Quarterly Restore Tests: Verify backups can be restored successfully
• ✅ Annual DR Drills: Full disaster recovery simulation

8.3 Backup Security

Protection:

• 🔒 Immutable Backups: Write-once-read-many (WORM) storage prevents ransomware
• 🔒 Separate Credentials: Backup access uses different credentials than production
• 🔒 MFA Required: Multi-factor authentication for backup access
• 🔒 Audit Logging: All backup access logged

8.4 Customer Responsibility

You are responsible for:

• ✅ Backing up your own database (we don't have access to it)
• ✅ Exporting important projects regularly
• ✅ Maintaining long-term archives (we only keep 30 days)

How to Backup:

• Account Settings → Export Data (JSON format)
• Download all projects before account deletion
• Use API (Enterprise) for automated backups

---

9. INCIDENT RESPONSE

9.1 Incident Response Plan

Detection → Containment → Investigation → Remediation → Recovery → Lessons Learned

9.2 Breach Notification

If a personal data breach occurs:

Timeline	Action
Within 1 hour	Detect and confirm breach
Within 4 hours	Contain breach, prevent further unauthorized access
Within 24 hours	Assess scope and impact
Within 72 hours	Notify affected customers (GDPR requirement)
Within 7 days	Provide detailed incident report

What We'll Tell You:

• ✅ Nature of the breach (what data was affected)
• ✅ Likely consequences
• ✅ Measures taken to address the breach
• ✅ Measures you can take to protect yourself
• ✅ Contact point for further information

9.3 Incident Classification

Severity	Criteria	Response Time	Escalation
Critical (P1)	Active breach, data exfiltration	< 15 minutes	CEO, CTO, all hands
High (P2)	Potential breach, security vulnerability exploited	< 1 hour	CTO, Lead Engineer
Medium (P3)	Security event, no data exposure	< 4 hours	Engineering Lead
Low (P4)	Minor security issue, no immediate risk	< 24 hours	Assigned engineer

9.4 Communication

During incident:

• ✅ Status Page: Real-time updates at status.flowframe.io (planned)
• ✅ Email Notifications: Affected customers notified
• ✅ Transparency: Honest communication about what happened

Post-Incident:

• ✅ Incident Report: Detailed post-mortem within 7 days
• ✅ Lessons Learned: What we learned and how we'll prevent recurrence
• ✅ Remediation Plan: Steps taken to fix root cause

---

10. COMPLIANCE AND CERTIFICATIONS

10.1 Current Compliance Status

Framework	Status	Details
GDPR	✅ Compliant	Data Processing Agreement available, EU hosting, SCCs in place
CCPA	✅ Compliant	California Consumer Privacy Act obligations met
UK GDPR	✅ Compliant	UK data protection law compliance
ePrivacy Directive	✅ Compliant	Cookie consent, email marketing compliance
ISO 27001	🚧 Under evaluation	Information Security Management System
PCI DSS	✅ Via Stripe	We don't handle card data directly (Stripe is PCI DSS Level 1)

10.2 Data Protection Impact Assessment (DPIA)

Customers may require DPIA if:

• Processing likely to result in high risk to data subjects
• Large-scale processing of special categories of data
• Systematic monitoring of publicly accessible areas

Flowframe's Support:

• ✅ Provide technical documentation for customer DPIA
• ✅ Describe processing operations and purposes
• ✅ Assess necessity and proportionality
• ✅ Describe security measures

Request DPIA Support: support@flowframe.io

10.3 Sub-Processor Due Diligence

All sub-processors assessed for:

• ✅ Security certifications (SOC 2, ISO 27001, etc.)
• ✅ Data protection compliance (GDPR, CCPA)
• ✅ Incident response capabilities
• ✅ Encryption and access controls
• ✅ Financial stability and reputation

Sub-Processors:

• DigitalOcean: SOC 2 Type II, ISO 27001
• Stripe: PCI DSS Level 1, SOC 2, ISO 27001
• Google (Gemini, planned): SOC 2, ISO 27001, Zero Data Retention

---

11. THIRD-PARTY SECURITY

11.1 Sub-Processor Security Standards

All sub-processors must:

• ✅ Sign Data Processing Agreements (DPAs)
• ✅ Implement appropriate technical and organizational measures
• ✅ Provide data breach notification procedures
• ✅ Maintain security certifications (SOC 2, ISO 27001)
• ✅ Comply with GDPR and applicable data protection laws
• ✅ Submit to regular security audits

11.2 Vendor Risk Management

Vendor Assessment Process:

1. Initial Assessment: Security questionnaire (SIG, CAIQ)
2. Due Diligence: Review certifications, policies, incident history
3. Contract Negotiation: Data Processing Agreement, SLAs, security requirements
4. Ongoing Monitoring: Quarterly review, annual re-assessment
5. Incident Tracking: Monitor for security incidents at vendor

Vendor Offboarding:

• ✅ Data deletion confirmation
• ✅ Access revocation
• ✅ Certificate of destruction (if applicable)

11.3 Integration Security

For third-party integrations (databases, APIs):

• ✅ Customer Controls: You manage your own database credentials
• ✅ Read-Only Recommended: Use read-only credentials when possible
• ✅ Encrypted in Transit: Credentials encrypted via TLS 1.3 during transmission
• ✅ Encrypted at Rest: Credentials stored encrypted on Flowframe servers (AES-256)

---

12. SECURITY MONITORING

12.1 24/7 Monitoring

What We Monitor:

• 🔍 Failed Login Attempts: Alert on brute force patterns
• 🔍 Anomalous Traffic: Unusual traffic patterns, DDoS attempts
• 🔍 Error Rates: Spikes in application errors (potential attack)
• 🔍 System Performance: CPU, memory, disk usage anomalies
• 🔍 Network Traffic: Unauthorized network connections
• 🔍 Administrative Actions: All admin access logged and monitored

Alerting:

• ⚠️ Real-Time Alerts: Critical events trigger immediate alerts
• ⚠️ Escalation: On-call engineer notified within minutes
• ⚠️ Runbooks: Documented response procedures for common incidents

12.2 Logging and Audit Trails

Comprehensive Logging:

Log Type	Retention	Content	Encryption
Application Logs	90 days	User actions, API calls	AES-256
Access Logs	90 days	Authentication, authorization	AES-256
Admin Logs	1 year	All admin actions	AES-256
Security Logs	1 year	Security events, failed logins	AES-256
Audit Logs	3 years	GDPR-related activities (DSAR, data deletion)	AES-256

Log Analysis:

• 📊 Automated Analysis: Machine learning for anomaly detection (planned)
• 📊 SIEM (Security Information and Event Management): Planned Q3 2026
• 📊 Correlation: Correlate events across systems to detect complex attacks

12.3 Security Metrics

KPIs Tracked:

• ⏱️ Mean Time to Detect (MTTD): How quickly we detect incidents
• ⏱️ Mean Time to Respond (MTTR): How quickly we respond to incidents
• 📉 Failed Login Rate: Indicator of brute force attempts
• 📈 Vulnerability Remediation Time: Time to patch vulnerabilities
• 🎯 Phishing Simulation Success Rate: Employee security awareness

---

13. VULNERABILITY MANAGEMENT

13.1 Security Updates

Patching Schedule:

• 🚨 Critical Vulnerabilities: Within 24 hours
• ⚠️ High Severity: Within 7 days
• 📋 Medium Severity: Within 30 days
• 📌 Low Severity: Next quarterly maintenance window

Dependency Management:

• ✅ Automated Scanning: GitHub Dependabot scans dependencies daily
• ✅ Automated PRs: Dependabot creates PRs for security updates
• ✅ Manual Review: All dependency updates reviewed before merging

13.2 Penetration Testing

External Penetration Testing:

• 🎯 Frequency: Under evaluation for future implementation
• 🎯 Scope: Full application and infrastructure penetration test
• 🎯 Provider: Independent third-party security firm
• 🎯 Report: Detailed findings and remediation recommendations

13.3 Vulnerability Disclosure

If you find a security vulnerability:

1. Email: support@flowframe.io with subject "SECURITY VULNERABILITY REPORT"
2. Provide: Description, steps to reproduce, potential impact
3. Responsible Disclosure: Give us time to fix before public disclosure (90 days)
4. Our Response:
   • Acknowledge receipt within 24 hours
   • Investigate and respond within 5 business days
   • Keep you updated on remediation progress

---

14. SECURITY BEST PRACTICES FOR CUSTOMERS

14.1 Account Security

Recommendations:

• ✅ Use a strong, unique password (12+ characters)
• ✅ Enable two-factor authentication (when available Q2 2026)
• ✅ Don't share credentials with anyone
• ✅ Use a password manager (1Password, Bitwarden, LastPass)
• ✅ Log out when using shared computers

14.2 Database Security

Recommendations:

• ✅ Use read-only database credentials when possible
• ✅ Create a dedicated Flowframe user with minimal permissions
• ✅ Enable IP whitelisting if your database supports it
• ✅ Rotate credentials every 90 days
• ✅ Don't use root/admin credentials
• ✅ Monitor database access logs

Database User Permissions (Example for PostgreSQL):

-- Create read-only user for Flowframe
CREATE USER flowframe_readonly WITH PASSWORD 'strong-password-here';
GRANT CONNECT ON DATABASE your_database TO flowframe_readonly;
GRANT USAGE ON SCHEMA public TO flowframe_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO flowframe_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO flowframe_readonly;

14.3 Data Handling

Recommendations:

• ✅ Only upload data you're authorized to analyze
• ✅ Anonymize or redact sensitive data before public sharing
• ✅ Export and backup important analyses regularly
• ✅ Delete old projects you no longer need
• ✅ Use RBAC to limit team member access appropriately

14.4 Team Management

Recommendations:

• ✅ Remove team members who leave your organization immediately
• ✅ Use role-based access (don't give everyone Owner access)
• ✅ Review team member list quarterly
• ✅ Audit project sharing settings periodically
• ✅ Educate team on security best practices

---

15. SECURITY ROADMAP

15.1 Current (Q1 2026) - Beta Phase

Implemented:

• ✅ TLS 1.3 encryption
• ✅ AES-256 encryption at rest
• ✅ Client-side data processing (DuckDB WASM)
• ✅ Role-based access control
• ✅ EU data residency (London, UK)
• ✅ GDPR compliance
• ✅ Bcrypt password hashing
• ✅ VPC network isolation
• ✅ Automated backups
• ✅ 24/7 security monitoring

15.2 Coming Q2 2026 - General Availability

Planned:

• 🚧 Two-Factor Authentication (2FA): TOTP-based MFA
• 🚧 SSO / SAML Integration (Enterprise): Single Sign-On
• 🚧 Bug Bounty Program: Public vulnerability disclosure
• 🚧 Security Vulnerability Disclosure Policy
• 🚧 Enhanced Audit Logs: More granular activity tracking

15.3 Future (H2 2026 & Beyond)

Roadmap:

• 🔮 IP Whitelisting: For API access
• 🔮 Advanced Audit Logs: SIEM integration
• 🔮 Data Loss Prevention (DLP): Automated sensitive data detection
• 🔮 Customer-Managed Encryption Keys (CMEK): Bring your own encryption keys
• 🔮 Hardware Security Keys: FIDO2/YubiKey support
• 🔮 Passkeys / WebAuthn: Passwordless authentication

---

16. REPORTING SECURITY ISSUES

16.1 Vulnerability Reporting

Found a security vulnerability?

Contact: support@flowframe.io Subject: "SECURITY VULNERABILITY REPORT"

Please Include:

• ✅ Description of the vulnerability
• ✅ Steps to reproduce
• ✅ Potential impact
• ✅ Your contact information
• ✅ Any proof-of-concept code (if applicable)

Our Response:

• ✅ Acknowledge receipt within 24 hours
• ✅ Investigate and respond within 5 business days
• ✅ Keep you updated on remediation progress
• ✅ Credit you in security advisory (if you wish)
• ✅ Potential bounty reward (once program launches Q2 2026)

16.2 Responsible Disclosure

We ask that you:

• ✅ Give us 90 days to fix the vulnerability before public disclosure
• ✅ Don't exploit the vulnerability beyond proof-of-concept
• ✅ Don't access other users' data
• ✅ Don't perform DoS attacks or service disruptions
• ✅ Don't publicly disclose until we've fixed the issue

In return, we promise:

• ✅ No legal action against security researchers acting in good faith
• ✅ Transparent communication and updates
• ✅ Public recognition (if you wish)
• ✅ Fair bounty rewards (once program launches)

---

SUMMARY

Flowframe implements enterprise-grade security:

• 🔒 Dual Architecture: Secure cloud DB queries + encrypted file storage (AES-256)
• 🔐 End-to-End Encryption: TLS 1.3 in transit, AES-256 at rest
• 🇪🇺 EU Data Residency: GDPR-compliant hosting in London, UK
• ✅ Compliance: GDPR, CCPA
• 🛡️ Zero Trust Architecture: Least privilege, MFA, network isolation
• 📋 Audit Ready: Comprehensive logging, incident response, breach notification
• 🗑️ Immediate Deletion: Files deleted instantly on request (no backups)

Questions? Contact us at support@flowframe.io

---

Last Updated: January 10, 2026 Version: 1.0 Next Review: April 2026

---

For more security information:

• Privacy Policy: https://flowframe.io/privacy
• Data Processing Agreement: https://flowframe.io/legal/dpa
• Terms of Service: https://flowframe.io/terms
• Sub-Processor List: https://flowframe.io/sub-processors

---

We take security seriously. If you have suggestions for improving our security posture, we'd love to hear from you at support@flowframe.io.

---

END OF SECURITY PAGE