flostac
PrivacyTermsData deletionCookiesContactSecurity
Open app
PrivacyTermsData deletionCookiesContactSecurity

Security

Last updated: 29 May 2026

Our commitment

Flostac is built on infrastructure where security is the default: all data in transit is encrypted with TLS 1.3, all data at rest is encrypted using AES-256, and access to production systems is gated by hardware-backed multi-factor authentication. We treat your workspace data the way we'd want our own treated.

What we do

Encryption

  • TLS 1.3 for every connection to the web app, API, and marketing site
  • AES-256 at rest for databases, file storage, and offline backups
  • Connected-platform tokens (Meta, Google, Nylas) are encrypted with AES-256-GCM using a key held outside the application database

Access control

  • Role-based access inside your organization — you control who sees what
  • Hardware-backed MFA (security keys and platform authenticators) required for Flostac staff with production access
  • No standing access to customer workspaces; engineers request time-bound access that is logged and reviewed

Application security

  • Dependency updates are applied continuously; production libraries are scanned for known CVEs
  • Authentication is delegated to Supabase Auth (industry-standard session handling, rate limiting, breach detection)
  • Content Security Policy and standard browser hardening headers are applied to every response
  • Backups are encrypted and retained for 30 days, then rotated out

Operational

  • Logging of administrative actions, available to your workspace admins
  • Incident response runbook with named on-call coverage
  • Vendor due diligence on every sub-processor (see Subprocessors)

Report a vulnerability

If you've found a security issue in Flostac, please email team.flostac@gmail.com with the subject line starting with SECURITY:. Include enough detail for us to reproduce — URL, payload, observed behavior, and your assessment of impact.

We will acknowledge within 5 business days and work with you on coordinated disclosure. We commit to not pursuing legal action against researchers who act in good faith, avoid privacy violations, and give us a reasonable window to fix before public disclosure.

We do not currently operate a paid bug bounty program. Genuine findings are credited (with your permission) in our release notes.

Out of scope

  • Denial-of-service attacks, rate-limit exhaustion, or volumetric testing
  • Social engineering of Flostac staff or customers
  • Physical attacks against infrastructure we do not operate
  • Reports about hypothetical issues without a working proof of concept

Compliance posture

Flostac is an early-stage product. We are not currently certified to SOC 2, ISO 27001, or HIPAA. The controls listed above are designed to be a credible starting point and we will pursue formal certification as the business grows. If you have a specific compliance requirement, please reach out — we're happy to discuss scope and timelines.

© 2026 Flostac. Operated by MarkOne Media, India.

Privacy·Terms·Data deletion·Subprocessors