Compliance

• Audit loggingEvery privileged action (flow CRUD, member changes, ticket config, license issue/revoke/reload, SSO config, SCIM token lifecycle, billing checkout/portal) is logged with actor, timestamp, IP, user agent, and JSON details. Streamed CSV/NDJSON export for SIEM ingestion.
• Least-privilege RBACSeven roles (Owner / Admin / Tester / Viewer / Agent / Scim / PlatformAdmin) with explicit scope. New SCIM provisions default to Viewer; Owners promote explicitly.
• EncryptionTLS 1.2+ in transit everywhere. At rest: Azure SQL TDE / Aurora storage encryption. Application-level envelope encryption for flow-variable secrets, integration PATs, and API keys.
• Secret managementAzure Key Vault (managed identity, two-pass Bicep) or AWS Secrets Manager (RDS-managed password, never in TF state). No secrets in source control, no secrets baked into images, no secrets in task definitions.
• Change trackingAll code changes flow through PRs in Git. CI runs build + test + IaC validate. CodeQL static analysis on every push + weekly. Dependabot updates dependencies with grouped PRs.
• Tenant isolationDatabase-per-tenant. Cross-region access blocked with 421. Catalog DBs don't cross deployments — EU tenant data never touches the US deployment.
• Rate limitingPer-tenant token-bucket on AI-cost endpoints. Per-IP global fallback. Atomic tier enforcement (no burst-past-limit under concurrency).
• IdentityReal JWT validation (RS256, full TokenValidationParameters) against Azure AD or per-tenant OIDC. SCIM 2.0 for IdP-driven user provisioning. Bearer tokens stored as SHA-256 hashes — plaintext shown once.

Items we're actively working on. We don't claim completion until the artefact is in hand.

• SOC 2 Type I attestationReadiness assessment scheduled with a third-party platform (Vanta / Drata / Secureframe). 6–8 week calendar item. Type II follows once Type I is in place.
• Penetration testThird-party engagement planned post-SOC 2 readiness. Until that report is in our hands, we don't claim 'pen-tested'.
• Backup/restore drillAutomated backups are configured (Azure SQL automated backups, Aurora 14-day retention). The actual end-to-end restore drill is scheduled — we'll measure RPO/RTO rather than claim numbers.
• ISO 27001Customer demand driven. SOC 2 evidence is reusable for ISO 27001 surveys; we'll start when EU customers ask.

FlowGuard operates independent deployments per region. Catalog database, tenant databases, object storage, and AI endpoint all live inside the jurisdictional boundary. There is no cross-region replication.

Tenants are pinned to a region at signup and stay there for life. Cross-region requests receive 421 Misdirected Request with a hint header — even if DNS were ever misrouted, EU data is never served from the US deployment.

When an auditor (yours or a SOC 2 examiner) asks for evidence of a control, the audit log + SIEM export endpoint is usually the cleanest answer. Common queries:

• Access review: filter audit log for team.member.role.updated events in the period under review.
• Privileged action proof: filter for license.issued, ticket.config.updated, sso.config.updated.
• Billing event trail: billing.checkout.started, billing.portal.opened are timestamped per Owner. Stripe's own logs are the authority for actual payment events.

Sub-processors

Services that may process customer data on FlowGuard's behalf:

Customers on the self-hosted (Helm) or behind-your-firewall plans can avoid most of this list — bring your own SMTP, your own AI endpoint, and your own billing (if you're internal to a larger org).