Log inSign up

Flows security overview

At Flows, security is a top priority. We know you are placing trust in us and guarantee we will never compromise that. We strive to provide a secure and reliable service while maintaining rapid development.

Infrastructure and network security

Physical Access Control

The Flows Platform is hosted exclusively on DigitalOcean servers located in the EU (Germany). DigitalOcean maintains both SOC 2/3 reports and ISO 27001 certification, which can be accessed via their certifications page.

Secondary self-hosted services that never handle any user or customer data are hosted on Hetzner servers located in the EU (services such as workflow example apps like this one). Hetzner maintains ISO 27001 certification, which can be accessed via their certificates page.

Access Control

Flows infrastructure can only be accessed by authorized personnel. Privileged access to Flows infrastructure is assigned in a Just-in-Time (JIT) fashion for a limited time and requires strong authentication. Each access request requires a business justification and management approval. All JIT access requests are audited.

Administration rights (including SSH, Database Access, and Infrastructure Configuration) are tightly controlled and restricted to a very small number of our team.

Business Continuity and Disaster Recovery

Business Continuity

Flows performs daily backups of data with point-in-time recovery (PITR) capabilities. Backups are stored on DigitalOcean.

All backups are stored in encrypted form.

In case of platform-wide data loss, we can restore data from these backups.

We regularly test restoration of our infrastructure from these backups.

Disaster Recovery

Flows primarily serves traffic from a single geographic region. In the unlikely event of a prolonged regional outage, we maintain a documented procedure for provisioning our deployment environment in a separate region.

Data Flow

Data Arriving from Customers and your Users

All customer data is sent to Flows via HTTPS using TLS 1.2 or above.

All Flows systems are configured to reject connections using TLS versions below 1.2 or those using potentially insecure cipher suites.

All requests into the system are logged and monitored.

Data Storage

All customer data is stored in encrypted form at rest using AES-256 encryption.

Access to stored data is tightly controlled and restricted to a very small number of our team.

Data Leaving the System

Flows allows customers and their users to access the data stored in Flows through several methods, including:

  • Our web application, hosted at app.flows.sh.
  • Our SDKs and API, which allow customer applications to load data from Flows on behalf of their users, hosted at api.flows-cloud.com.

All of the methods we provide to our customers for accessing their data ensure encryption in transit using TLS 1.2 or above.

Secure Application Development Process

Flows uses a Continuous Integration and Continuous Deployment model which means all of our code changes are committed to a source code repository, reviewed, tested, and shipped to our customers in a rapid sequence. Every source code change is tracked on GitHub.

Our rapid iteration development model significantly improves our response time to bugs, vulnerabilities, and security incidents.

Corporate Security

We believe that good security applies to our team as much as to our platform.

Malware Protection

Flows maintains a comprehensive Malware Protection system backed by Apple Gatekeeper and XProtect.

Endpoint Security and Configuration

All endpoints use Full Disk Encryption, Screen Lock, Remote Wipe, and strong passwords.

Incident Response Policy

Flows follows a CERN (Contain, Eradicate, Recover, and Notify) Security Incident Response Process.

Where a Security Incident affects the Confidentiality of customer data, Flows will contact the members of the organization.

Flows maintains a public status page at status.flows.sh, which reports on operational issues and incidents.

Vendor Management

Flows follows a rigorous Vendor Management process to ensure that all third-party services and vendors meet our security and compliance standards.

Vulnerability scanning

Flows performs regular vulnerability scanning to identify and remediate potential security issues in our systems and applications.

More information

To report a vulnerability via our Responsible Disclosure program, please review our policy and submit a report here.

For further information on our standards please refer to our Terms of Service, Privacy Policy, and Docs.

Last updated: May 1, 2026