Security
Last Updated: July 17, 2026
Encryption
All traffic to the app is served over TLS 1.2+ with HSTS. Customer data at rest is encrypted using industry-standard AES-256 by our cloud providers. Secrets, API keys and OAuth tokens stored on behalf of customers are encrypted with per-workspace keys before being written to the database.
Access controls
Access to production data is limited to a small on-call team, requires SSO with hardware- backed MFA, and is audit-logged. Row-level security policies scope every read and write to the caller's workspace; service-role database access is confined to server-side code paths that never run in a browser.
Monitoring and incident response
Application errors and security-relevant events are logged and monitored. We aim to notify affected customers within 72 hours of confirming a personal-data breach, in line with our DPA.
Vendors
A current list of sub-processors is at /subprocessors. All sub-processors are contractually bound to protection standards no less protective than our own.
Responsible disclosure
We welcome reports from security researchers. Please email security@fullfloe.ai with a description of the issue, steps to reproduce, and any proof-of-concept. Please do not perform testing that could impact other customers' data. We commit to acknowledging reports within 3 business days and to not pursuing legal action against researchers acting in good faith.