Security

Governance

Our Security and Privacy teams establish robust policies and controls, diligently monitor adherence to these controls, and provide evidence of our security and compliance to auditors from third-party entities.

Our policies are rooted in the following fundamental principles:

01.

Flowis adheres to a strict access control policy that ensures access is granted solely to individuals with a valid business requirement, following the principle of least privilege.

02.

We follow a comprehensive security approach based on the principle of defense-in-depth, which entails the implementation and layering of multiple security controls.

03.

We maintain a consistent application of security controls across all areas of the enterprise, ensuring a uniform and comprehensive approach to security.

04.

The implementation of controls at Flowis is an iterative process, continuously evolving to enhance effectiveness, increase auditability, and minimize friction across all dimensions.

Security and Compliance

Flowis Maintains Compliance With

Data Protection

Securing Data at Rest

All datastores containing customer data, including Azure Storage, are encrypted at rest to ensure heightened security. In addition, sensitive collections and tables employ row-level encryption.

This robust encryption approach ensures that data is encrypted prior to database storage, rendering both physical and logical access insufficient for accessing the most sensitive information.

Protecting Data
in Transit

Flowis utilizes TLS 1.2 or higher for all data transmissions across potentially insecure networks to ensure robust security. We further employ features like HSTS (HTTP Strict Transport Security) to enhance the protection of our data during transit. The management of server TLS keys and certificates is entrusted to Azure, and they are deployed through Application Load Balancers.

Secret Management

Flowis leverages the robust security features of Microsoft Azure to ensure the protection of your sensitive data. Our encryption key management follows best practices, securely stored within Azure’s Key Vault, ensuring a separation of roles and restricted access. Meanwhile, Azure seamlessly handles internal secret keys, guaranteeing the encryption, storage, and protection of data, passwords, and databases. Access to these encrypted values is strictly controlled and limited to authorized individuals.

Product Security

Penetration Testing

We are dedicated to upholding the highest standards of security. As part of our commitment, we conduct thorough annual penetration testing. This proactive approach allows us to meticulously evaluate our systems for vulnerabilities, ensuring that any potential weaknesses are promptly identified and addressed. 

These assessments cover all aspects of the Flowis product and cloud infrastructure, with testers having full access to the source code. This comprehensive approach maximizes effectiveness and coverage.

We will provide summarized penetration test reports through our Trust Report, offering transparency and insights into our security practices, upon it’s acquisition.

Vulnerability Scanning

Flowis mandates vulnerability scanning at critical stages of our Secure Development Lifecycle (SDLC):

Static analysis (SAST) testing of code during pull requests and on an ongoing basis.
Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain.

Malicious dependency scanning to prevent the introduction of malware into our software supply chain.

Dynamic analysis (DAST) of running applications.

Network vulnerability scanning on a
period basis.

External attack surface management (EASM) continuously running to discover new external-facing assets.

Enterprise security

Endpoint Protection

Flowis ensures that all corporate devices are centrally managed and equipped with mobile device management software and anti-malware protection. We maintain 24/7/365 monitoring of endpoint security alerts. Our use of MDM software enforces secure configurations on endpoints, including disk encryption, screen lock configuration, and software updates.

Secure Remote Access

Flowis ensures secure remote access to internal resources by utilizing a VPN tunnel. All internal resources are minimized to development purposed only and Flowis runs production environment and customer data on secured Microsoft Azure cloud.

Security Education

We prioritize comprehensive security training for all employees during onboarding and annually through educational modules available on the Flowis platform. New employees are required to attend a live onboarding session focusing on key security principles, while new engineers receive a mandatory session on secure coding principles and practices. Our security team shares regular threat briefings to keep employees informed about important security updates and actions that require attention.

Identity and Access Management

Flowis relies on Office365 for secure identity and access management. We enforce the use of phishing-resistant authentication factors, primarily utilizing 2FA. Application access is granted based on employee roles and automatically revoked upon termination. Additional access requires approval according to specific application policies.

Vendor Security

Flowis employs a risk-based approach to vendor security. Factors such as access to customer and corporate data, integration with production environments, and potential impact on the Flowis brand influence the inherent risk rating of a vendor. Once the inherent risk rating is determined, we evaluate the vendor’s security to establish a residual risk rating and make an informed approval decision.

Data Privacy

Data privacy takes precedence as a top priority.
We are dedicated to being trustworthy stewards of all sensitive data, ensuring its protection and privacy.

Privacy Shield

Flowis values privacy by design.

Regulatory Compliance

Flowis constantly evaluates regulatory and emerging frameworks to evolve our program.

Terms and Conditions

View Flowis’ Terms and Conditions 

Need to Report
a Security Concern?

Please contact us at Flowis’ Contact Page