Security & Privacy
FlowGuard handles credentials, screenshots and sometimes customer-shaped test data. The defaults are conservative — read this page once before you wire it into a regulated environment.
Encryption
- In transit: TLS 1.2+ everywhere — agent ↔ API, dashboard ↔ API, ticket-provider calls.
- At rest: Azure SQL with TDE. Application-level AES-256 envelope encryption for secret variables, integration PATs and tenant API keys.
- Key custody: Data Encryption Keys live in Azure Key Vault per tenant on Enterprise. On Starter and Team, keys are shared across tenants but isolated from application data; rotation is automatic every 90 days.
- Screenshots: stored in Azure Blob with private access only; signed URLs expire in 15 minutes. Mark sensitive selectors with
maskon a Screenshot step to redact before storage.
Data residency
Independent deployments per region. Each region runs its own FlowGuard stack — catalog DB, tenant DBs, object storage, all inside the jurisdictional boundary. There is no cross-region replication, by design.
Default region is East US. EU (West Europe) is available on Business and Enterprise; UK and AU available on Enterprise. Tenants are pinned to a region at signup and stay there — a request that lands on the wrong deployment receives HTTP 421 Misdirected Request with an X-FlowGuard-Region-Endpoint header pointing at the correct URL. Defense in depth even if DNS were misrouted.
AI calls go to the same region as your tenant via Pintor Project's private Azure AI Foundry — no public Anthropic API, no model training on your data, no fallback to a different geography. If you bring your own AI endpoint (Enterprise), residency is governed entirely by your endpoint.
Roles
Five built-in roles. Custom roles are on the Enterprise roadmap.
| Role | Capability |
|---|---|
| Owner | Full control. Manage billing, identity, all applications, all team members. Receives expiry warnings + payment-failure alerts. |
| Admin | Manage applications, flows, integrations, and team members. No billing. |
| Tester | Create and edit flows, run them, review results. Cannot change integrations or invite members. |
| Viewer | Read-only — flows, runs, dashboards. Default role for SCIM-provisioned users until an Owner promotes them. |
| Agent | Service identity used by the FlowGuard CLI. Scoped to a single application; cannot log into the dashboard. |
| Scim | Service identity used by external IdPs to provision/deprovision users. Only callable on /scim/v2/Users. |
| PlatformAdmin | Cross-tenant ops role for FlowGuard staff — issues licenses, manages catalog. Not granted to customer users. |
Audit log
Every privileged action is logged with actor email, role, timestamp, client IP, user agent, and JSON details. Tracked actions include: flow create/edit/delete, team-member add/remove/role-change, ticket-integration config save, license issue/revoke/reload, SSO config change, SCIM token create/revoke, billing checkout/portal. Logs live in the tenant database — Owners view them at /api/v1/audit.
SIEM export: streamed CSV or NDJSON at GET /api/v1/audit/export?from=…&to=…&format=csv. Sentinel trailer line on every export so consumers can detect mid-stream truncation. Ingest into Splunk HEC, Datadog log intake, Sentinel, or S3 with your existing tooling. Export is gated by the audit.export license feature (included in Enterprise).
Retention follows your run history: 7 days on Free, 90 days on Pro, 1 year on Business, custom on Enterprise. The catalog DB records (cross-tenant ops like license issuance) are retained for the life of the deployment.
Compliance
See the Compliance page for the full posture. Short version:
- SOC 2 alignment— controls implemented (audit log, least-privilege roles, secret management, encryption at rest + in transit, change tracking via Git + Dependabot + CodeQL). Type I readiness assessment with a third-party platform is scheduled; we don't claim certification until the report is in our hands.
- GDPR: EU residency via independent EU deployment, Standard Contractual Clauses in our DPA, sub-processor list on the privacy page.
- No public AI inference: Claude runs on Pintor Project's private Azure AI Foundry — no public Anthropic API, no model training on your data.
- Self-hosted for the strictest cases: customers under regulations that bar third-party processors deploy the same code on their own infrastructure via Helm or Terraform — see Deployment.
Reporting a vulnerability
Email security@flowguardians.com. We acknowledge within one business day, triage within three. Safe harbor for good-faith research is offered for any issue reported here before public disclosure.