Security

Your Data Is Our Priority

FlowSync is built security-first. Every layer — from encryption to access control — is designed to protect your business.

Verified Grades

Independently Verified

We don't just claim security — we prove it. Click to verify our grades yourself.

A+

Mozilla Observatory

Score: 115/100 — 10/10 tests passed

Verify

A+

SSL Labs

All endpoints graded A+

Verify

Snyk Vulnerability Scan

0 known vulnerabilities

Clean

Static Analysis (SAST)

Semgrep — clean scan

Encryption

Protected at Every Layer

In Transit

TLS 1.3 for all connections. No data leaves our servers unencrypted.

At Rest

AES-256-GCM field-level encryption on all personal data. Keys managed separately from data.

Backups

GPG + AES-256 encrypted daily backups with 14-day retention.

Infrastructure

Hardened From the Ground Up

DDoS Protection

Cloudflare WAF and proxy sit in front of every request. Malicious traffic never reaches our servers.

Isolated Access

SSH restricted to a private network. No public management ports. Zero trust architecture.

Automated Backups

Daily encrypted backups with automatic rotation. 14-day retention window.

CVE Monitoring

Daily automated scans for dependency vulnerabilities and known CVEs across every package.

Access Control

Least Privilege by Default

Role-Based Permissions

Owner, manager, dispatcher, tech — each role sees only what they need. No over-provisioning.

Two-Factor Authentication

TOTP and email verification available. Protect your account beyond just a password.

Session Management

Automatic session expiry with server-side token revocation. Every login is tracked and can be killed remotely.

Brute-Force Protection

Anomaly detection with automatic account freeze. WatchDawg monitors every login attempt.

Compliance

Tested, Not Just Claimed

Penetration Tested

28 security tests, 0 open findings. We attack ourselves so nobody else can.

OWASP Top 10

Every category audited and hardened. Injection, XSS, CSRF, IDOR — all covered.

Static Code Analysis

Automated SAST scanning on every code change. Vulnerabilities caught before they ship.

Zero Tracking

No analytics, no telemetry, no third-party trackers. We don't sell data. We don't even collect it.

Your Data

You Own It. Period.

Export Anytime

Download your entire operation as JSON — properties, zones, photos, work orders. Your data is always yours.

Full Deletion

Request account deletion and we wipe everything. No dark patterns, no retention tricks.

Offline-First

Works without internet — your data lives on your device. Changes sync automatically when you reconnect. No vendor lock-in.

Questions About Security?

We're happy to answer any questions about how we protect your data.