Security

Built for companies that take data seriously

FlorioIn runs on a multi-tenant architecture isolated row-by-row, with encryption in transit and at rest, audit logs by default, and a public compliance roadmap kept current on this page.
SOC 2 Type II (in progress · Q3 2026)GDPR-compliantHIPAA-readyISO 27001 (evaluating)CCPA-compliant
Architecture

Row-level isolation. No shared schemas, no shared queries.

Every query carries a tenant_id that Postgres applies via an automatic RLS policy. If an API forgets the predicate, the database adds it — and a regression test fails the build in CI.

  • Single Postgres DB with RLS per table
  • tenant_id set on auth, not in queries
  • Automated tests verify `SET ROLE other_tenant` returns no rows
  • Immutable per-tenant audit log — append-only on separate partition
security/architecture
Six pillars

Defense in depth — from the row to the cert

    Multi-tenant with RLS

    Every company has row-level isolation in Postgres. No query crosses the tenant perimeter — verified by automated tests that run on every deploy.

    row_security · auth.tenant_id() · audit trail

    Encryption in transit and at rest

    TLS 1.3 for all HTTP traffic. AES-256-GCM for data on disk with keys rotated quarterly. Backups encrypted with separate keys.

    TLS 1.3 · AES-256-GCM · KMS rotation

    SSO + SCIM

    Google Workspace, Microsoft 365, Okta, Azure AD. Automatic user provisioning on enterprise plans, with bi-directional sync.

    SAML 2.0 · OIDC · SCIM 2.0

    Immutable audit logs

    Every action that touches customer data is logged with actor, resource, IP, timestamp, and diff. Exportable to CSV or via signed webhook to your SIEM.

    Append-only · 365-day retention · Splunk / Datadog compatible

    Data residency

    US-East by default. EU-West for clients who require it (GDPR). No cross-region transfers without your explicit consent.

    us-east-1 · eu-west-1 · pending: sa-east-1 (Q4)

    Compliance roadmap

    SOC 2 Type II in progress (initial audit Q3 2026). HIPAA-ready for healthcare. ISO 27001 evaluation underway.

    SOC 2 · HIPAA · ISO 27001 · GDPR · CCPA
Engineering practices

How each release gets built.

    Mandatory code reviews

    Every PR requires at least one senior engineer approval + explicit documented bypass for hotfixes. Zero force-push to main.

    SAST on every PR

    Semgrep + CodeQL run in GitHub Actions before merge. Custom rules for RLS anti-patterns, tenant_id leaks, and secrets in code.

    Nightly DAST

    OWASP ZAP scans staging nightly with different auth roles. High+ severity findings auto-open a ticket in < 1 hour.

    Audited dependencies

    Dependabot + Snyk monitor CVEs. Critical patches in < 24h, high in < 7 days. Zero deps without license review.

    Zero secrets in repo

    TruffleHog + GitHub secret scanning block pushes with tokens. All secrets in Vault with automatic quarterly rotation.

    Safe releases

    Canary deploys with feature flags + rollback in < 60s. Each release ships a signed changelog with SBOM (Software Bill of Materials).

AI privacy

Your data doesn't train public models.

We use foundation models through enterprise contracts (OpenAI, Anthropic, Google) with contractual guarantees: your data is not used to train public models. All prompts and responses live in your tenant, audit-logged and deletable on demand.

  • No training on your data — contractually guaranteed
  • Prompts and responses live in your tenant, never cross-tenant
  • Deletable on demand via API or from the dashboard
  • Optional auto-redaction of PII before LLM call
  • Audit log of every Co-Pilot prompt and response
  • Opt-out at workspace, team, or individual user level
Your data, your controls

Things you can do without asking support.

    Export anytime

    Button at /settings/data → ZIP with JSON + attachments of everything in the workspace. No tickets, no 30-day waits, no retention hostage.

    Delete on demand

    Hard delete in < 24h. Soft delete with 7-day recovery window for accidents. Backups purge in < 30 days.

    Configurable retention

    Per workspace: define how long logs, AI prompts, and files live. Default 365 days for logs, 90 for AI prompts. Your call.

    Invite controls

    Domain restriction, MFA required, invite expiration. Owner approves every new external domain.

Security calendar

How we test ourselves — and who else gets to test us.

    Quarterly

    Internal pentest

    In-house security team + external consultant. Findings with severity > medium are published on this site in < 30 days.

    Annual

    Independent external pentest

    Certified firm (CREST / OSCP). Public executive report; technical report under NDA for customers.

    Continuous

    Bug bounty

    Private HackerOne program with public scope. Bounties from $250 USD (low) to $10,000 USD (critical RCE / RLS bypass).

    Every release

    Threat modeling for critical changes

    PRs touching auth, RLS, billing, or AI go through threat-model review before merge. Documented at /docs/security.

Apply to bug bountyRequest latest pentest report
Shared responsibility model

What we handle, what's yours.

    Infrastructure
    FlorioInHosting, OS patches, network firewalls, DDoS protection
    Your team
    Application
    FlorioInSecure code, dependency scans, annual pentests
    Your teamConfigure SSO, roles and permissions
    Data
    FlorioInEncryption, backups, audit logs
    Your teamDecide what data to load and retention per workspace
    Identity
    FlorioInMFA, SCIM, SAML provisioning
    Your teamManage access and review who enters the workspace
    Compliance
    FlorioInCertifications, DPA, reports
    Your teamComply with regulations specific to your industry

Incident response

Documented runbook, 24/7 on-call with a 24-hour notification SLA, public post-mortems for impactful incidents, and a single email (incidents@florioin.com) that opens a ticket in our tracker.

Sub-processors

Public list maintained on this site: AWS (hosting), OpenAI/Anthropic/Google (Co-Pilot under enterprise contract), Resend (email), Cloudflare (CDN/WAF). 30-day notification before adding a new one.

Need SOC 2, a DPA, or a security questionnaire?

On-demand trust center — we send the latest report, fill questionnaires, and sign DPAs by email.

security@florioin.com
Ready to start

Ready to accelerate your business?

Request access today. We'll set you up within 24 hours.

Talk to sales
Live in < 24 hAssisted migrationCancel anytime