FlowGuideAI← Back to Home

Security

Effective date: March 2026 · Legal contact: legal@flowguideai.com

Security is foundational to FlowGuideAI, particularly given that our customers use the platform to create compliance, HR, legal, and operational documentation. This page describes our security architecture, controls, and commitments.

1. Infrastructure

FlowGuideAI is built entirely on Cloudflare's global edge infrastructure:

  • Cloudflare Workers: Serverless compute running at Cloudflare's global edge network, providing low-latency access from 300+ locations worldwide
  • Cloudflare D1: SQLite-based relational database for structured application data, with automatic replication
  • Cloudflare R2: S3-compatible object storage for documents, exported files, and uploaded images
  • Cloudflare Access: Zero-trust network access policies for internal services

Cloudflare holds SOC 2 Type II and ISO 27001 certifications. FlowGuideAI's formal SOC 2 Type II assessment is in progress.

2. Encryption

  • In transit: All data transmitted between your browser and FlowGuideAI is encrypted using TLS 1.3. Older TLS versions (1.0, 1.1) are disabled. HTTP connections are redirected to HTTPS.
  • At rest: All data stored in D1 and R2 is encrypted at rest using AES-256. Encryption keys are managed by Cloudflare's KMS with hardware security module (HSM) protection.
  • BYOK (Enterprise): Enterprise customers may provide their own encryption keys (Bring Your Own Key) for an additional layer of control over data at rest.

3. Authentication

  • OAuth SSO: Google, Apple, and GitHub OAuth are supported on all tiers
  • Microsoft OAuth: Coming soon
  • SAML 2.0 SSO: Available on Enterprise tier, supporting integration with Okta, Azure AD, and other enterprise identity providers
  • Session security: Sessions use cryptographically signed, short-lived tokens. Idle sessions time out automatically.
  • Password policy: Email/password accounts require strong passwords and are hashed with bcrypt.

4. Access Controls

  • Role-based access: Workspace owners, admins, and members have differentiated permission levels
  • Workspace isolation: Data is isolated at the workspace level; users can only access workspaces they have been invited to
  • Audit trail: Enterprise tier includes a full audit log of document creation, modification, export, and access events
  • Custom data retention policies: Enterprise tier may configure document retention and deletion schedules

5. SOC 2 Alignment

FlowGuideAI's security controls are aligned with SOC 2 Type II Trust Services Criteria, covering:

  • Security: Access controls, encryption, incident response, vulnerability management
  • Availability: Uptime monitoring, disaster recovery, redundancy via Cloudflare's global edge
  • Confidentiality: Data segregation, encryption, access logging
  • Privacy: Data minimization, retention policies, user rights (per Privacy Policy)

Formal SOC 2 Type II certification is in progress. Enterprise customers may request our current security documentation by contacting security@flowguideai.com.

6. BYOK - Bring Your Own Key (Enterprise)

Enterprise customers can provide their own encryption keys, stored in their own key management system (KMS). FlowGuideAI uses your key to encrypt and decrypt data at rest but never stores your key. If you revoke your key, your data becomes inaccessible - providing a strong data custody control for the most sensitive use cases.

7. Incident Response

FlowGuideAI maintains an incident response plan that includes detection, containment, eradication, and recovery procedures. In the event of a security incident affecting customer data:

  • Affected customers will be notified within 72 hours of FlowGuideAI becoming aware of the incident
  • Notification will include nature of the incident, data affected, and remediation steps taken
  • FlowGuideAI will cooperate with customers' own incident response obligations under applicable regulations (e.g., GDPR Article 33)

8. Responsible Disclosure

We take security vulnerabilities seriously and welcome reports from the security research community. If you discover a potential vulnerability in FlowGuideAI:

  • Email security@flowguideai.com with a detailed description
  • Allow us a 90-day window to investigate and remediate before public disclosure
  • Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue

We will acknowledge receipt within 48 hours and keep you informed of our progress. We do not currently offer a formal bug bounty program but may recognize significant findings.

10. Contact

Security concerns and responsible disclosure: security@flowguideai.com

General security questions: legal@flowguideai.com

⚠️ AI-Generated Content Disclaimer

FlowGuideAI uses artificial intelligence to assist in creating documentation. AI-generated content may contain errors, omissions, or inaccuracies. All documents generated by FlowGuideAI must be reviewed and verified by a qualified human professional before use in any compliance, legal, HR, or regulatory context.

FlowGuideAI is a documentation drafting tool, not a licensed legal, compliance, HR, or financial advisor. Use of FlowGuideAI does not constitute professional advice. Users are solely responsible for verifying that all generated content meets applicable laws, regulations, and organizational requirements.