Skip to main content

← Home

Security

Last Updated: July 17, 2026

Encryption

All traffic to the app is served over TLS 1.2+ with HSTS. Customer data at rest is encrypted using industry-standard AES-256 by our cloud providers. Secrets, API keys and OAuth tokens stored on behalf of customers are encrypted with per-workspace keys before being written to the database.

Access controls

Access to production data is limited to a small on-call team, requires SSO with hardware- backed MFA, and is audit-logged. Row-level security policies scope every read and write to the caller's workspace; service-role database access is confined to server-side code paths that never run in a browser.

Monitoring and incident response

Application errors and security-relevant events are logged and monitored. We aim to notify affected customers within 72 hours of confirming a personal-data breach, in line with our DPA.

Vendors

A current list of sub-processors is at /subprocessors. All sub-processors are contractually bound to protection standards no less protective than our own.

Responsible disclosure

We welcome reports from security researchers. Please email security@fullfloe.ai with a description of the issue, steps to reproduce, and any proof-of-concept. Please do not perform testing that could impact other customers' data. We commit to acknowledging reports within 3 business days and to not pursuing legal action against researchers acting in good faith.