Last updated: March 2, 2026
Security is built into every layer of the FlowOps platform. This page describes our infrastructure, access controls, data protections, and how to report a security concern.
FlowOps is built on modern, managed cloud infrastructure. Data is currently hosted in the United States (AWS us-east-1 via Supabase). Organizations with Canadian data residency requirements should contact us — Canadian hosting is available on our Enterprise plan.
✓
Encryption in transit: All data transmitted between clients and our servers is encrypted using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
✓
Encryption at rest: All data stored in our database (Supabase / PostgreSQL) is encrypted at rest using AES-256.
✓
Managed PostgreSQL: Database instances are managed by Supabase with automated backups, point-in-time recovery, and high availability configurations.
✓
Edge network: Application delivery via Vercel's global edge network with DDoS mitigation.
| Plan | Data Location | Status |
|---|---|---|
| Basic / Professional | United States (AWS us-east-1) | Current |
| Enterprise | Canada (AWS ca-central-1) — on request | Available |
For Canadian data residency inquiries, contact security@flowops.com.
✓
Role-based access control (RBAC): Nine distinct roles (Admin, Auditor, Manager, Scheduler, Coordinator, Technician, Inventory Manager, Requester, Vendor) with granular, per-resource permissions.
✓
Row-level security (RLS): Database-level policies enforced by Supabase ensure each organization can only access its own data — even if application-level authorization fails.
✓
Multi-factor authentication: Available via Supabase Auth. Organizations can require MFA for all users.
✓
Vendor isolation: External vendors access only the work orders assigned to them — no access to internal data, other vendors' records, or administrative functions.
✓
Session management: Sessions expire automatically. Tokens are short-lived and rotated on refresh.
Every significant action in the platform — creating, updating, or deleting work orders, assets, users, and settings — is recorded in a tamper-evident audit log. Logs capture who performed the action, when, from which IP address, and what changed.
Basic plan: 30-day audit log retention
Professional plan: 1-year audit log retention + export to PDF/CSV
Enterprise plan: Unlimited audit log retention
The following third-party services process data on behalf of FlowOps. Each is subject to a Data Processing Agreement or equivalent contractual security obligations.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database & auth | All account and work order data | United States |
| Vercel | App hosting & CDN | Web traffic, logs, IP addresses | United States / Global |
| Stripe | Payment processing | Billing info, payment method | United States |
| SendGrid (Twilio) | Transactional email | Email addresses, notification content | United States |
| Twilio / MessageBird | SMS notifications | Phone numbers, SMS content | United States / Netherlands |
| OpenAI | AI features (voice transcription, automation hints) | Voice audio, work order text (anonymized) | United States |
✓
Input validation: All user inputs are validated on both client and server. SQL injection is prevented by parameterized queries via Supabase's query builder.
✓
CSRF protection: Cross-site request forgery protections are enforced on all state-changing API routes.
✓
Webhook security: Inbound webhooks (email, SMS) validate cryptographic signatures from providers before processing.
✓
Rate limiting: API endpoints and SMS/email channels implement rate limiting to prevent abuse.
✓
Dependency management: We regularly audit and update third-party dependencies for known vulnerabilities.
✓
Secret management: API keys and credentials are stored as environment secrets, never in source code or logs.
We take security vulnerabilities seriously. If you believe you have discovered a security vulnerability in FlowOps, please report it responsibly by emailing security@flowops.com with:
A description of the vulnerability and the potential impact.
Step-by-step reproduction instructions.
Any proof-of-concept code or screenshots (redact any customer data).
We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days. We will not take legal action against researchers who follow this responsible disclosure process. We do not currently offer a bug bounty program.
For security inquiries, vulnerability reports, or data residency questions:
Email: security@flowops.com
For privacy-related concerns, see our Privacy Policy or email privacy@flowops.com.