FlautoPsyAI Workflow Drift Monitoring

Security & Compliance

Last updated: May 24, 2026

Data Encryption

All data is encrypted both in transit and at rest:

  • In Transit: TLS 1.3 encryption for all connections between your browser/API client and our servers
  • At Rest: AES-256 encryption for all data stored in our PostgreSQL database (provided by Supabase)
  • API Keys: Hashed with SHA-256 and never stored in plaintext

Authentication & Access Control

We implement multi-layered access controls:

  • Per-Workspace API Keys: Each workspace can have multiple API keys with unique identifiers
  • Session Tokens: Securely issued upon login, with httpOnly and Secure flags
  • Row-Level Security: Database enforces that users can only access their own workspace data
  • Rate Limiting: API endpoints rate-limited to prevent abuse (free: 1,000 req/day, Pro: 10,000 req/day)

Infrastructure Security

FlautoPsy is hosted on industry-leading, SOC 2 Type II compliant providers:

  • Vercel: Application and API hosting (SOC 2 Type II, 99.99% uptime SLA)
  • Supabase: PostgreSQL database and authentication (SOC 2 Type II, auto-backups, replicas)
  • AWS: US-East-1 region with redundancy and disaster recovery
  • Cloudflare: DDoS protection and WAF (Web Application Firewall)

Both Vercel and Supabase maintain 99.9%+ uptime and undergo regular third-party audits.

Monitoring & Incident Response

We monitor the service 24/7 for security and reliability:

  • Error Tracking: Real-time error monitoring via Sentry to catch issues immediately
  • Security Monitoring: Automated scanning for known vulnerabilities and misconfigurations
  • Incident Response: 24-hour notification policy for security incidents affecting customer data
  • Backups: Automated daily backups with 30-day retention

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Report to: security@stralocroft.com
  • Response Time: We will acknowledge receipt within 24 hours and provide an update within 48 hours
  • Disclosure Policy: 90-day responsible disclosure window before public disclosure
  • No Legal Action: We will not pursue legal action against security researchers acting in good faith

Please do not publicly disclose vulnerabilities before giving us time to patch.

Compliance

We are committed to security and privacy compliance:

  • GDPR: Compliant with EU General Data Protection Regulation
  • CCPA: Compliant with California Consumer Privacy Act
  • SOC 2: Working toward SOC 2 Type I certification (target: [TODO: Q/month])
  • HIPAA: Not currently HIPAA-compliant; contact us if you need HIPAA BAA

Third-Party Security

We carefully vet all third-party services:

  • Stripe: PCI DSS Level 1 compliant (payment processing)
  • Slack: Enterprise-grade security (optional alert integration)
  • Sentry: SOC 2 compliant (error tracking)

All integrations are optional. You control what data is shared with third parties.

Security Best Practices

Recommendations for using FlautoPsy securely:

  • API Keys: Treat API keys like passwords. Rotate them regularly.
  • HTTPS: Always send webhook data to your FlautoPsy webhook URL via HTTPS (the URL uses https://)
  • Secrets: Never include secrets, credentials, or sensitive data in traces
  • Access: Use team roles and permissions to limit who can view sensitive data
  • 2FA: Enable two-factor authentication on your account (coming soon)

Bug Bounty Program

We are developing a formal bug bounty program to reward security researchers. For now, please report vulnerabilities via responsible disclosure (see above). We will work with you to determine an appropriate reward.

Questions?

For security questions or concerns, email security@stralocroft.com.