Security & trust

Your documents contain sensitive information. Here is exactly how SecureFlow protects them.

Your data stays in your workspace

• Workspace isolation: Every account gets a private workspace. Your documents, questionnaires, and answers are never visible to other users or tenants.
• Role-based access: You control who can see and edit your data. Admins manage billing and members; Editors run AI and edit answers; Viewers are read-only.
• Audit log: Every upload, AI generation, and CSV export is recorded so your team always knows who did what and when.

Authentication & access

• Passwords: Hashed with bcrypt (cost 12) — we never store your password in plain text.
• Google Sign-In: OAuth 2.0 via Google. We only receive your email address and name — no Google password is ever shared with us.
• Sessions: HTTP-only, signed JWT cookie. Marked secure in production so it cannot be read by scripts.
• Rate limiting: Login, registration, uploads, and AI generation endpoints are rate-limited to reduce abuse.

AI & your documents

• Your documents power the answers.The AI only uses the files you upload — it does not mix your content with any other tenant's data.
• AI provider: SecureFlow uses OpenAI to generate embeddings and draft answers. Document text is sent to OpenAI at request time only — we do not train models on your content.
• Drafts require human review. Every AI-generated answer should be reviewed and approved by your team before it is sent to a customer. See our disclaimer.

Encryption & infrastructure

• Encryption in transit: All communication between your browser and our servers uses TLS 1.2+.
• Encryption at rest: Data and uploaded files are stored with industry-standard encryption on the server.
• No third-party analytics on your documents. We do not sell or share your uploaded content with advertisers or data brokers.

SOC 2 & compliance roadmap

We are working toward a formal SOC 2 Type II audit. In the meantime, we publish our security practices here and update them as the platform matures. Enterprise customers on Custom plans can request additional security documentation. Contact us at contact@secureflow.tech.

Vulnerability disclosure

Found a security issue? Please report it responsibly. Email us at contact@secureflow.tech and we will respond within 48 hours.

Related

Privacy Policy · Terms of Service · Disclaimer