Security | Flowstate

The Short Version

Your business data and your customers' information are protected at every layer. We use industry-standard encryption, trusted infrastructure providers, and strict access controls. We never sell data, and we never will.

Infrastructure

Hosting: Deployed on Vercel with automatic DDoS protection and edge network distribution
Database: Supabase (built on PostgreSQL) with encrypted connections and automated backups
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)

Authentication & Access

Passwords are hashed using bcrypt — we never store plaintext passwords
Row-Level Security (RLS) ensures businesses can only access their own data
API routes verify authentication and business ownership on every request
CSRF protection on all mutation endpoints
Role-based access control for team members (owner, admin, member)

Payments

All payment processing is handled by Stripe, a PCI Level 1 certified payment processor. We never store credit card numbers, CVVs, or full card details on our servers.

AI & Third-Party Services

Flowstate uses AI to respond to leads and optimize your business. Here's how we handle data with our AI providers:

AI providers do not use your data to train their models
Conversations are processed in real-time and not stored by AI providers
We only send the minimum context needed for each AI task

Data Ownership

Your data is yours. Period. You can export all your business data at any time from Settings. If you delete your account, we permanently remove all your data from our systems including leads, conversations, invoices, and website content.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to security@useflowstate.app. We take all reports seriously and will respond within 48 hours.