Keeping your data safe is fundamental to Flowcept. This page describes the security practices we follow today. We're a small team, and we believe in being transparent about what we do and what we're still working on — rather than making grand claims we can't back up.

Authentication & Access Control

Passwords are hashed using bcrypt with a secure salt before they are stored. We never store, log, or have access to your plaintext password.

Social sign-in is available through Google and GitHub using industry-standard OAuth 2.0 flows. We request only the minimum permissions necessary — your basic profile information and email address.

Sessions are managed through HTTP-only, secure cookies. Session tokens are not accessible via client-side JavaScript, reducing the risk of cross-site scripting (XSS) attacks.

Email verification is required for password-based signups. OTP codes are time-limited and attempt- limited to prevent brute-force attacks.

Data Encryption

In transit: All connections to Flowcept are encrypted using TLS (HTTPS). Unencrypted HTTP requests are automatically redirected to HTTPS, enforced by our hosting provider (Vercel).

At rest: Our database is hosted on MongoDB Atlas, which encrypts all data at rest using AES-256 encryption. Database access requires authentication and is restricted to the application's service accounts.

Infrastructure

Hosting: Flowcept is deployed on Vercel, which runs on AWS infrastructure with automatic scaling, DDoS protection, and edge network security.
Database: MongoDB Atlas provides automated backups, network isolation, and IP-based access control. Database credentials are stored as environment variables and are never committed to version control.
Secrets management: API keys, OAuth client secrets, and database connection strings are stored as encrypted environment variables — never in application code.

Application Security

Input validation: User input is validated on both the client and server side. Database queries use parameterised methods through Mongoose to prevent injection attacks.
CSRF protection: State tokens are verified during OAuth callback flows.
Rate limiting: Authentication endpoints (login, signup, OTP verification) are rate-limited to prevent brute-force and credential-stuffing attacks.
Error handling: Internal error details are logged server-side but never exposed to end users. Public error responses include only a general message and an error reference ID when applicable.

Third-Party Integration Security

When you connect external services like Google Calendar, the OAuth refresh token is stored in our database with restricted access. It is only used for the specific integration you authorised, and you can revoke it at any time by disconnecting the integration from your settings or from the third-party service's own security settings.

What We're Still Improving

We believe honesty builds more trust than overclaiming. Here are areas we're actively working on:

Formal penetration testing by an independent third party.
SOC 2 compliance (we are not yet SOC 2 certified).
More granular role-based access controls within teams.
Two-factor authentication (2FA) for all accounts.

Responsible Disclosure

If you discover a vulnerability in Flowcept, please report it responsibly. Email us at akshumahajan2004@gmail.com with a description of the issue, steps to reproduce it, and your contact information. We ask that you:

Give us reasonable time to investigate and fix the issue before disclosing it publicly.
Do not access or modify data belonging to other users.
Do not disrupt the availability of the service.

We appreciate security researchers who help us improve. While we don't have a formal bug bounty programme yet, we will credit you (with your permission) for any valid reports.

Contact

For any security-related questions or concerns, reach out to akshumahajan2004@gmail.com.