Security & trust

Your shop data, locked down by default.

Signs and print jobs are your customers' brand identity. We treat your workspace the way you treat their artwork — no leaks, no shortcuts, and a clear paper trail.

Talk to our team Read our DPA

How we protect your data

The security posture, in plain language.

No mission-statement word salad. Each pillar is a concrete thing we do — and a thing you can verify.

Encryption in transit and at rest

TLS 1.2+ for every request. Data in our Postgres cluster is encrypted at rest by the storage layer (AES-256). Secrets — API keys, webhook signing, OAuth tokens — are stored via platform-managed key material, not in application code.

Per-tenant isolation

Every tenant-scoped row carries a `tenantId`. Every request runs through a server-side gate that resolves the tenant from the URL, checks membership, and attaches it to the query. Two tenants cannot read each other's data by any URL, API, or mistake.

Role-based access, down to the action

Owners, admins, managers, sales, designers, installers, accountants, and employees each have an explicit permission set. Every server action and every UI button gates on the same capability check — no hidden escalation paths.

Point-in-time Postgres backups

Managed Postgres on a provider with automated daily backups and point-in-time recovery. A production incident that corrupts your data can be restored to a timestamp, not a 'last night's backup' hand-wave.

Audit trail by default

Sign-ins, permission changes, record deletions, impersonation sessions — all logged to an append-only audit stream. Owners can review the last 90 days of activity from the settings panel.

Two-factor authentication

TOTP-based 2FA is available for every user, and owners can require it for every member of their workspace. Recovery codes are one-time-use and rotate on use.

Platform impersonation, audited

When our support staff need to view your workspace, they do so via an audited impersonation session — banner displayed to the customer, every action logged against the support agent's platform account, not yours.

Data export on demand

Every tenant can export their complete data set (customers, quotes, orders, invoices, files) as structured JSON at any time. No lock-in. No data-held-hostage if you leave.

Sub-processors

Who touches your data, and what they do.

We keep this list short and current. If it changes, customers on annual plans get 30 days' notice.

Vendor	Role	Region
Neon	Managed Postgres — primary database	US East
Vercel	Application hosting and edge delivery	Global edge
Stripe	Payment processing and card vault	US / global
Postmark	Transactional email (quotes, invoices, notifications)	US
Cloudflare R2	Proof and artwork file storage	Global

Compliance roadmap

What we have today. What we're earning next.

We believe in saying what's true now and what's coming — not checking boxes we haven't earned.

In progress
SOC 2 Type I audit
In-flight with a Big Four-adjacent audit firm. Targeting Q2 next year.
Planned
SOC 2 Type II
Targeted for ~12 months after Type I report.
Planned
SSO (SAML / OIDC)
On the roadmap for franchise/enterprise tier. Contact us if it's a blocker.
Live
Enterprise DPA template
Available on request for annual contracts.

Common questions

Security FAQ

Where is my data stored?

Primary database is in US East (Neon). Files (proofs, artwork, attachments) are in Cloudflare R2 with global replication. Data residency controls for EU-only are on our enterprise-tier roadmap.

Can I require 2FA for my whole team?

Yes. Owners can flip a workspace-wide 2FA requirement in settings, which kicks in at the next login for members who haven't enrolled.

What happens if I cancel?

You keep full export access for 30 days after cancellation. After that, we soft-archive for another 60 days (retrievable by support) and then permanently delete. You can also request immediate deletion at any time.

How do I report a security issue?

Email security@flowtora.com with details. We respond within 24 business hours and track through resolution. Good-faith researchers get credit in our advisories; no legal action against ethical disclosure.

Is there a status page?

A public status page is on our near-term roadmap. Until then, incidents are announced via in-app banner and email to workspace owners.

Report a vulnerability → security@flowtora.com

Still have questions?

We'll answer them.

Talk to us about your compliance requirements, data residency, or SSO — no sales runaround.

Book a demo Contact sales