Security
Our commitment
Flostac is built on infrastructure where security is the default: all data in transit is encrypted with TLS 1.3, all data at rest is encrypted using AES-256, and access to production systems is gated by hardware-backed multi-factor authentication. We treat your workspace data the way we'd want our own treated.
What we do
Encryption
- TLS 1.3 for every connection to the web app, API, and marketing site
- AES-256 at rest for databases, file storage, and offline backups
- Connected-platform tokens (Meta, Google, Nylas) are encrypted with AES-256-GCM using a key held outside the application database
Access control
- Role-based access inside your organization — you control who sees what
- Hardware-backed MFA (security keys and platform authenticators) required for Flostac staff with production access
- No standing access to customer workspaces; engineers request time-bound access that is logged and reviewed
Application security
- Dependency updates are applied continuously; production libraries are scanned for known CVEs
- Authentication is delegated to Supabase Auth (industry-standard session handling, rate limiting, breach detection)
- Content Security Policy and standard browser hardening headers are applied to every response
- Backups are encrypted and retained for 30 days, then rotated out
Operational
- Logging of administrative actions, available to your workspace admins
- Incident response runbook with named on-call coverage
- Vendor due diligence on every sub-processor (see Subprocessors)
Report a vulnerability
If you've found a security issue in Flostac, please email team.flostac@gmail.com with the subject line starting with SECURITY:. Include enough detail for us to reproduce — URL, payload, observed behavior, and your assessment of impact.
We will acknowledge within 5 business days and work with you on coordinated disclosure. We commit to not pursuing legal action against researchers who act in good faith, avoid privacy violations, and give us a reasonable window to fix before public disclosure.
We do not currently operate a paid bug bounty program. Genuine findings are credited (with your permission) in our release notes.
Out of scope
- Denial-of-service attacks, rate-limit exhaustion, or volumetric testing
- Social engineering of Flostac staff or customers
- Physical attacks against infrastructure we do not operate
- Reports about hypothetical issues without a working proof of concept
Compliance posture
Flostac is an early-stage product. We are not currently certified to SOC 2, ISO 27001, or HIPAA. The controls listed above are designed to be a credible starting point and we will pursue formal certification as the business grows. If you have a specific compliance requirement, please reach out — we're happy to discuss scope and timelines.