InFlow AI Legal

Security Overview

Last updated: March 1, 2026

Security is foundational to InFlow AI. We handle sensitive financial and personal data, and we design every layer of our infrastructure with security in mind.

1. Encryption

Data at Rest

  • All data encrypted using AES-256 encryption
  • Database-level encryption via Supabase (backed by AWS RDS)
  • Backup encryption with separate key management

Data in Transit

  • TLS 1.3 enforced on all connections
  • HSTS headers with minimum 1-year max-age
  • Certificate pinning for API communications

2. Access Control

  • Row Level Security (RLS) — enforced at the database level via Supabase. Each tenant can only access their own data.
  • API key hashing — all API keys are hashed with SHA-256 before storage. Raw keys are never stored.
  • Role-based access control (RBAC) — granular permissions for team members (Admin, Manager, Agent, Viewer)
  • Multi-factor authentication — available for all accounts

3. Audit Trail

Every action on the Platform is logged:

  • All debtor communications (sent, delivered, read, replied)
  • Invoice uploads, modifications, and status changes
  • User logins, permission changes, and API key usage
  • Data exports and deletions

Audit logs are immutable and retained for 7 years.

4. Data Residency

ComponentLocationProvider
Primary DatabaseEU (Frankfurt, eu-central-1)Supabase / AWS
Application HostingEU / US (edge)Vercel
File StorageEU (Frankfurt)Supabase Storage

5. Compliance Roadmap

  • ✅ UAE PDPL (Personal Data Protection Law) — compliant
  • ✅ GDPR — compliant for EU data subjects
  • 🔄 SOC 2 Type II — audit in progress, expected Q3 2026
  • 📋 ISO 27001 — planned for 2027

6. Incident Response

  • 72-hour notification — data breaches reported to affected parties and relevant authorities within 72 hours, as required by UAE PDPL and GDPR
  • Dedicated incident response team
  • Post-incident review and remediation within 30 days
  • Annual incident response drills

7. Vulnerability Management

  • Regular automated security scanning
  • Dependency vulnerability monitoring
  • Responsible disclosure program — report vulnerabilities to security@inflowai.ai

8. Infrastructure Security

  • DDoS protection via Vercel Edge Network
  • Rate limiting on all API endpoints
  • Network isolation between tenants
  • Automated backup with point-in-time recovery

9. Contact

For security questions, concerns, or to report a vulnerability: security@inflowai.ai