Encryption in transit
Every customer-facing endpoint enforces TLS 1.2 or higher (TLS 1.3 negotiated where the client supports it). HSTS preload-ready headers on apex domains.
Security
Built for the data you care about most.
Encryption, tenant isolation, RBAC, audit logging, and multi-cloud storage — designed so Flowgento can host the conversations your customers trust you with.
Encryption at rest
Storage providers (Cloudflare R2 and iDrive e2) encrypt volumes at the disk layer. Sensitive secrets (WhatsApp access tokens, encrypted credentials) are additionally wrapped in AES-256-GCM at the application layer before being persisted.
Backups
Daily database snapshots and continuous transaction logs are encrypted before upload and retained according to a published schedule. Backup providers are operationally distinct from primary storage.
Infrastructure
Multi-cloud media storage with per-tier defaults and per-tenant overrides. Failover routing tested regularly. Hosting providers are SOC 2 / ISO 27001 audited.
Access control
Role-based access (OWNER / ADMIN / AGENT) inside each workspace; strict tenant isolation enforced at the query layer. Production access for Flowgento personnel is gated by short-lived credentials and audited.
Audit logs
High-impact actions (role changes, deletions, billing events, impersonation) are written to an append-only audit log with actor, target, IP, and user-agent. Retained for at least 12 months and available for export.
Compliance posture
Where we stand today.
| Framework | Status |
|---|---|
| DPDP Act 2023 (India) Data minimisation, retention controls, breach-notification timeline (72 hours), and data subject request tooling are aligned with the DPDP Act. | Active alignment |
| GDPR (EU 2016/679) Standard Contractual Clauses available for customers exporting EU/UK data. DPA covers Article 28 obligations. | Available on request |
| WhatsApp Business Policy We are a Meta Tech Provider integration and enforce template approval, opt-out, and 24-hour service-window rules. | In compliance |
| SOC 2 / ISO 27001 Formal attestation work begins after our first 200 paying customers; controls aligned in advance. | Targeted |
Responsible disclosure
If you believe you've found a security issue affecting Flowgento, please email security@flowgento.com with steps to reproduce. We aim to acknowledge reports within two business days and to keep researchers updated as we investigate.
Please do not access or modify data belonging to other customers and please give us a reasonable window to fix issues before public disclosure. We don't currently run a paid bug bounty but we publicly thank researchers who follow these guidelines.
Have a deeper security question?
We're happy to answer questionnaires, share our DPA, or talk through how we'd host your data.