Security
Governance
Our Security and Privacy teams establish robust policies and controls, diligently monitor adherence to these controls, and provide evidence of our security and compliance to auditors from third-party entities.
Our policies are rooted in the following fundamental principles:
01.
Flowis adheres to a strict access control policy that ensures access is granted solely to individuals with a valid business requirement, following the principle of least privilege.
02.
We follow a comprehensive security approach based on the principle of defense-in-depth, which entails the implementation and layering of multiple security controls.
03.
We maintain a consistent application of security controls across all areas of the enterprise, ensuring a uniform and comprehensive approach to security.
04.
The implementation of controls at Flowis is an iterative process, continuously evolving to enhance effectiveness, increase auditability, and minimize friction across all dimensions.
Security and Compliance
Flowis Maintains Compliance With
Data Protection
Securing Data at Rest
All datastores containing customer data, including Azure Storage, are encrypted at rest to ensure heightened security. In addition, sensitive collections and tables employ row-level encryption.
This robust encryption approach ensures that data is encrypted prior to database storage, rendering both physical and logical access insufficient for accessing the most sensitive information.
Protecting Data
in Transit
Flowis utilizes TLS 1.2 or higher for all data transmissions across potentially insecure networks to ensure robust security. We further employ features like HSTS (HTTP Strict Transport Security) to enhance the protection of our data during transit. The management of server TLS keys and certificates is entrusted to Azure, and they are deployed through Application Load Balancers.
Secret Management
Flowis leverages the robust security features of Microsoft Azure to ensure the protection of your sensitive data. Our encryption key management follows best practices, securely stored within Azure’s Key Vault, ensuring a separation of roles and restricted access. Meanwhile, Azure seamlessly handles internal secret keys, guaranteeing the encryption, storage, and protection of data, passwords, and databases. Access to these encrypted values is strictly controlled and limited to authorized individuals.
Product Security
Penetration Testing
We are dedicated to upholding the highest standards of security. As part of our commitment, we conduct thorough annual penetration testing. This proactive approach allows us to meticulously evaluate our systems for vulnerabilities, ensuring that any potential weaknesses are promptly identified and addressed.
These assessments cover all aspects of the Flowis product and cloud infrastructure, with testers having full access to the source code. This comprehensive approach maximizes effectiveness and coverage.
We will provide summarized penetration test reports through our Trust Report, offering transparency and insights into our security practices, upon it’s acquisition.
Vulnerability Scanning
Flowis mandates vulnerability scanning at critical stages of our Secure Development Lifecycle (SDLC):
Malicious dependency scanning to prevent the introduction of malware into our software supply chain.
Dynamic analysis (DAST) of running applications.
Network vulnerability scanning on a
period basis.
External attack surface management (EASM) continuously running to discover new external-facing assets.
Enterprise security
Endpoint Protection
Flowis ensures that all corporate devices are centrally managed and equipped with mobile device management software and anti-malware protection. We maintain 24/7/365 monitoring of endpoint security alerts. Our use of MDM software enforces secure configurations on endpoints, including disk encryption, screen lock configuration, and software updates.
Secure Remote Access
Flowis ensures secure remote access to internal resources by utilizing a VPN tunnel. All internal resources are minimized to development purposed only and Flowis runs production environment and customer data on secured Microsoft Azure cloud.
Security Education
We prioritize comprehensive security training for all employees during onboarding and annually through educational modules available on the Flowis platform. New employees are required to attend a live onboarding session focusing on key security principles, while new engineers receive a mandatory session on secure coding principles and practices. Our security team shares regular threat briefings to keep employees informed about important security updates and actions that require attention.
Identity and Access Management
Flowis relies on Office365 for secure identity and access management. We enforce the use of phishing-resistant authentication factors, primarily utilizing 2FA. Application access is granted based on employee roles and automatically revoked upon termination. Additional access requires approval according to specific application policies.
Vendor Security
Flowis employs a risk-based approach to vendor security. Factors such as access to customer and corporate data, integration with production environments, and potential impact on the Flowis brand influence the inherent risk rating of a vendor. Once the inherent risk rating is determined, we evaluate the vendor’s security to establish a residual risk rating and make an informed approval decision.
Data Privacy
Data privacy takes precedence as a top priority.
We are dedicated to being trustworthy stewards of all sensitive data, ensuring its protection and privacy.
Privacy Shield
Flowis values privacy by design.
Regulatory Compliance
Flowis constantly evaluates regulatory and emerging frameworks to evolve our program.
Terms and Conditions
View Flowis’ Terms and Conditions
Need to Report
a Security Concern?
Please contact us at Flowis’ Contact Page