Last updated: 4 June 2026
Security is foundational to Flomate. This page summarises the controls we use to protect your workspace and data. To report a vulnerability, email support@flomate.io.
Data is encrypted in transit using TLS. Sensitive secrets and credentials are stored encrypted at rest. Our mobile app supports certificate pinning for additional transport protection.
Flomate enforces granular role-based access control (RBAC) with row-level data scoping: users see only the records their role permits (own, team, or all). Permission changes take effect for active sessions, and sensitive actions are role-gated end to end.
Every workspace is logically isolated. All data access is scoped to your tenant and enforced on every request, so one customer can never read another customer's data.
Security- and compliance-relevant actions are recorded in an append-only audit log with per-entity history and a tamper-evident hash chain. Administrators can review and export the audit trail.
Customer data is hosted on infrastructure located in India. We maintain regular backups and follow operational practices designed to protect availability and integrity.
We support strong password policies, two-factor authentication (2FA), short-lived access tokens with refresh-token rotation, and session revocation. Failed-login throttling helps protect against brute-force attempts.
We welcome reports from security researchers. If you believe you've found a vulnerability, please email support@flomate.io with details and steps to reproduce. Please act in good faith and avoid privacy violations or service disruption while testing.