Security at Flowt

Last updated: 1 April 2026

Our Commitment

Security is a first-class concern at Flowt. We follow industry best practices to protect your data, your candidates’ information, and your OAuth credentials at every layer of the stack.

Data Encryption

At rest:All OAuth access tokens and refresh tokens are encrypted with AES-256-GCM before being written to the database. The encryption key is stored separately in a restricted environment variable and rotated on a scheduled basis.

In transit:All communication between your browser and our servers, and between our servers and third-party APIs (Google, Microsoft, OpenAI), is protected by TLS 1.2 or higher. HTTPS is enforced everywhere with HSTS.

Database:Flowt uses Supabase (PostgreSQL on AWS) with row-level security. Every query filters by orgId or userId to enforce strict organisational data isolation.

Authentication & Access

OAuth only:We support Google and Microsoft OAuth sign-in. Passwords, when used, are hashed with bcrypt via Supabase Auth before storage — we never see plain-text passwords.

Minimal scopes:Gmail integration requests only gmail.send, userinfo.email, and userinfo.profile. Microsoft integration requests only Mail.Send, User.Read, and offline_access. We never request permission to read your inbox.

Token rotation:Access tokens are refreshed automatically before each email send. Revoked tokens are detected and the affected email connection is disabled immediately.

Session management:Sessions are managed by Supabase with secure, HttpOnly cookies. Sessions expire after 7 days of inactivity.

Infrastructure

Hosting:The application runs on Vercel (Edge Network + serverless functions). Database is hosted on Supabase. Both providers maintain SOC 2 Type II certifications.

Secrets:All API keys and secrets are stored as encrypted environment variables. They are never logged, committed to source control, or included in error responses.

Rate limiting:All API endpoints enforce rate limiting keyed by user ID or IP address to prevent abuse and credential stuffing.

Input validation:Every API input is validated using Zod schemas before processing. SQL injection is prevented by Prisma’s parameterised queries.

Organisational Data Isolation

Flowt is a multi-tenant application. All data — candidates, templates, campaigns, email connections — is isolated at the database level by orgId. Cross-tenant access is architecturally impossible; every query includes an org-level filter and ownership is validated server-side before any read or write.

Incident Response

In the event of a security incident, we will notify affected users via email within 72 hours of discovery, consistent with GDPR requirements. We maintain an incident response plan and conduct regular security reviews.

Responsible Disclosure

If you discover a security vulnerability in Flowt, please disclose it responsibly by emailing security@useflowt.com. Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We aim to acknowledge all reports within 48 hours.

Third-Party Processors

We work with the following sub-processors, each under a Data Processing Agreement:

Provider	Purpose	Data Shared
Supabase	Auth + Database	All user & org data
Vercel	Hosting	Request logs (no PII)
OpenAI	AI features	Job descriptions, anonymised candidate data
Resend	Transactional email	Email address, name
Google	OAuth + Gmail send	OAuth tokens, email metadata
Microsoft	OAuth + Outlook send	OAuth tokens, email metadata