Security & compliance
Flow runs in a multi-tenant environment with strict per-tenant isolation enforced at the database, application, and network layers. This page summarizes how we protect data and where to find the artifacts auditors need.
Authentication
- Email + password with bcrypt at cost 12. Passwords never logged.
- SSO via SAML 2.0 and OIDC on Scale and Enterprise.
- SCIM 2.0 for user lifecycle on Enterprise.
- MFA via TOTP. Required for admins; optional but recommended for everyone else.
- Sessions expire after 12 hours of inactivity; absolute max 30 days.
Roles & RLS
Roles live in a dedicated user_roles table — never on the user record — and are enforced via PostgreSQL Row Level Security and a has_role() security definer function. Application code cannot bypass RLS without explicit service-role credentials, which only run in audited server functions.
Encryption
| Layer | Mechanism | Notes |
|---|---|---|
| In transit | TLS 1.2+ | HSTS preloaded. Old TLS versions and weak ciphers disabled. |
| At rest (DB) | AES-256 | Managed by the cloud provider; keys rotated annually. |
| At rest (secrets) | AES-256-GCM via KMS | Per-customer key material; envelope encryption. |
| Backups | AES-256 | Encrypted, off-region replicated, retained 35 days. |
Secret handling
Connector credentials (OAuth tokens, API keys, certificates) are stored encrypted with a per-customer KMS key. They are decrypted only inside the server-side execution sandbox at run time; they never reach the browser, are never returned by any API, and are never included in run payloads or logs.
Audit logging
Every privileged action is captured in an append-only audit log with actor, target, request ID, IP, and timestamp. Logs are streamed to immutable storage with a 13-month retention. Customers on Enterprise can subscribe to a real-time audit-event webhook.
Retention
| Data | Default retention | Configurable? |
|---|---|---|
| Run metadata | 90 days (Starter/Growth) · 13 months (Scale/Enterprise) | Yes, on Enterprise |
| Run payloads | 7 days | Yes — up to 90 days on Scale+ |
| Canonical data | Indefinite while plan is active | Yes — TTL per entity |
| Trash | 30 days | No |
| Audit log | 13 months | Yes — up to 7 years on Enterprise |
Data residency
Standard deployments run in us-east-1. EU residency (eu-west-1) and APAC (ap-southeast-2) are available on Scale and Enterprise. Cross-region transfer is opt-in and recorded in the audit log.
Compliance posture
- SOC 2 Type II — annual report available under NDA.
- GDPR / CCPA — DSAR API endpoints, configurable retention, DPA available.
- PCI DSS — out-of-scope by design; we never store cardholder data.
- HIPAA — BAA available on Enterprise for permitted use cases.
Reporting a vulnerability
Email security@apixx.io with reproduction details. We aim to acknowledge within one business day and to triage within three. Our responsible-disclosure policy and PGP key are published at apixx.io/security.