Skip to content
FLOWPILOTS

SECURITY

Locked down, and honest about it

The cockpit reads work you care about, so its security posture is written down where you can read it. Everything below is what exists today, not what is planned.

Organizational practices

FlowPilots is founder-led. Exactly one person holds production access, and production credentials live in a managed vault, never on disk and never in the repository.

Secret scanning runs before every commit; dependency versions are locked by the lockfile and updated deliberately.

There is no SOC 2 badge here, because none has been earned yet. A formal certification program starts when the team grows; until then this page lists what actually exists.

Encryption and isolation

Data is encrypted in transit (TLS) and at rest in the database.

Every organization is isolated at the database layer, and database tests assert that isolation on every table.

Your data is never sold, never shared for advertising, and never used to train any model.

The approve gate and the audit trail

Nothing that acts outside the cockpit runs without your in-app approval: no send, no post, no settings change. Approvals are per-action and never generalized.

Every account action is logged today; when agent actions ship they land on the same immutable trail, with the tool, its inputs, and the covering approval attached.

You can disconnect any connection instantly, and disconnecting purges what it ingested.

Prompt-injection defense

Content read from a connected tool is data, never instructions. It travels in a separate channel from the instructions the cockpit runs on, and every item carries a record of where it came from.

Reading untrusted content can never by itself invoke an action: every write requires a fresh approval that only you can mint from the app.

Inbound connector content is screened for instruction-like payloads on ingest; anything flagged is quarantined with the reason recorded, never acted on.

Credentials and secrets

FlowPilots never sees or stores your passwords or 2FA codes for connected tools. Sign-in to each tool happens with the provider, and the cockpit holds only tokenized references it can revoke.

Connectors are read-only wherever the job allows and request the narrowest scope that works.

The vendors under the cockpit

Vercel hosts the application. Supabase runs the Postgres database. When AI processing ships, it runs on Anthropic's API under FlowPilots' own server-side keys, and your data is never used for training.

Cloudflare Turnstile screens the waitlist form for bots. Proton handles company email.

Sentry (errors) and PostHog (product telemetry) run only where we have turned them on.

Found a weakness?

Good-faith security research is welcome. The scope, the rules, and the safe harbor are in the responsible disclosure policy, and reports go to security@flowpilots.io.