Trust
Security & Trust
Effective April 28, 2026 • Version 1.0 • FlowifyOS LLC
Flowify handles money — payroll, taxes, bills, profit. We treat your data like a bank should. This page is the plain-English summary of how we protect it. Documentation for auditors, banking partners, and enterprise customers is available on request.
Encryption
AES-256 + TLS 1.2+
MFA
Required (admin)
Backups
Daily, PITR
Uptime target
99.5%
1. Overview
Flowify is operated by FlowifyOS LLC, a Wyoming limited liability company. Our security program is built around three principles: least privilege (only the access required for a role), defense in depth (layered controls), and auditability (every privileged action is logged).
We do not custody customer funds. Money movement is performed through regulated banking partners; Flowify orchestrates and records, but the partner bank holds the account.
2. Security controls
Authentication
MFA required for administrative access. Strong password requirements screened against known-breached corpora. SSO is preferred where available.
Authorization
Role-based access control. Roles are stored in a dedicated permissions table with row-level security enforced by the database, not the client.
Encryption
AES-256 at rest for databases, object storage, and backups. TLS 1.2+ in transit, TLS 1.3 preferred. Sensitive fields receive application-layer envelope encryption.
Infrastructure
Hosted on enterprise-grade cloud infrastructure with managed WAF, DDoS protection, and physical security covered by the provider's SOC 2 / ISO 27001 attestations.
Change management
All production code goes through peer-reviewed pull requests with automated CI checks, dependency scanning, and static analysis before deploy.
Monitoring
24/7 uptime monitoring with on-call alerting. Application errors, latency, and database health are tracked continuously.
3. Data protection
We classify data as Restricted (bank credentials, government IDs), Confidential (customer PII, transaction history), Internal, and Public. Restricted data fields are encrypted at the application layer in addition to storage-level encryption, and access is logged.
Backups run daily with point-in-time recovery enabled. We test restore procedures at least annually. Recovery objectives: RTO 4 hours, RPO 1 hour for customer-facing services.
We do not sell personal information and do not share it for cross-context behavioral advertising. See our Privacy Policy for full detail.
4. Compliance & frameworks
Flowify maintains a written compliance program designed to meet the standards expected of fintech infrastructure:
- BSA / AML — written program covering KYC/KYB, ongoing monitoring, Suspicious Activity Report procedures, OFAC screening, and 5-year recordkeeping.
- SOC 2 (Security + Availability) — full policy pack and control matrix in place; audit-ready posture maintained ahead of formal Type II observation.
- GLBA Safeguards Rule — administrative, technical, and physical safeguards aligned with Section 314.4.
- U.S. state privacy laws — CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and similar; rights are honored regardless of residency.
Auditors and qualified counterparties may request our policy pack, control matrix, or compliance program by emailing support@flowifyos.com.
5. Subprocessors
We use a small set of vetted subprocessors to deliver the service. Each is reviewed annually for security posture. Customer data is shared only as necessary for the listed purpose.
| Subprocessor | Purpose | Region |
|---|---|---|
| Lovable Cloud (Supabase + Cloudflare) | Application hosting, database, authentication, storage, edge runtime | U.S. / Global edge |
| Plaid | Bank account verification and transaction data | U.S. |
| Paddle | Subscription billing and merchant of record | U.S. / EU |
| Lovable AI Gateway | AI-assisted features (categorization, in-app assistant) | U.S. |
| POS providers | Sales, product, and inventory data — only the POS the customer chooses to connect | Varies by provider |
Material changes to this list will be reflected here and, where required, communicated in advance to customers under contract.
6. Incident response
We maintain a documented incident response plan with severity-based response times, named incident commanders, and a blameless post-mortem process. Customers materially affected by an incident are notified without undue delay (target: within 72 hours of confirmation).
Incident records and post-mortems are retained for a minimum of five years to support audit, BSA/AML, and regulatory needs.
7. Responsible disclosure
Security researchers: thank you. If you believe you have found a vulnerability, please email support@flowifyos.com with the subject line "Security report" and a clear description of the issue and steps to reproduce.
We commit to:
- Acknowledging your report within 3 business days.
- Providing an initial assessment within 10 business days.
- Not pursuing legal action against researchers acting in good faith — no testing that degrades service, no access to other customers' data, no extortion.
- Crediting reporters publicly when a fix ships, if desired.
Out of scope: denial-of-service, social engineering of our staff, physical attacks, and findings against unmodified third-party services (please report those to the vendor directly).
8. System status
Live service status, scheduled maintenance, and incident history are published at flowifyos.com/status.
9. Contact
Security questions, audit requests, or compliance documentation: support@flowifyos.com
Available on request: SOC 2 Policy Pack, Control Matrix, BSA/AML Program, ToS, Privacy Policy, signed DPA template.
FlowifyOS LLC • Wyoming, USA • support@flowifyos.com