Security

Trust Center

FlowManual is a document analysis platform for construction contractors. We treat your contracts, quotes, and invoices as the sensitive business records they are. Your data is encrypted, scoped to your own account, and never used to train anyone’s models. This page describes what the product does today, with anything not yet in place marked as roadmap.


Encryption everywhere

  • In transit: All traffic runs over HTTPS with TLS 1.2 or higher. HTTP requests are redirected to HTTPS automatically, and HSTS is served so browsers only ever connect over a secure channel.
  • At rest: File bytes and sensitive database fields are encrypted with AES-256-GCM. Each file gets its own key and each record gets its own key, both derived per item with HKDF-SHA-256, so a single key never protects the whole store.
  • Searchable fields: Columns we need to look up by (such as names) use keyed HMAC blind indexes, so search works without storing the plain value in a searchable form.

Sign-in and access control

  • Sign in with Google or email and password. Passwords are hashed with scrypt (memory-hard, OWASP-recommended parameters) and are never stored in plaintext.
  • Optional two-step email verification. Turn on a one-time code sent by email for an extra check at sign-in. New browsers are recognized after the first verified sign-in, so you are not asked for a code every time on a device you already trust.
  • Brute-force protection. Sign-in attempts are rate limited per address, and an account locks for fifteen minutes after ten consecutive failures.
  • Role-based project access. Every project uses four roles: owner, admin, editor, and viewer. Access is checked on every request against the specific project.
  • Activity log. Analysis activity is recorded and viewable to administrators.

Roadmap: single sign-on (SAML) and directory-based provisioning.


Your data stays yours

Every read and every write is scoped to your account and your projects. One company’s documents are never visible to another. There is no shared workspace and no cross-tenant lookup.

When you run document analysis, only the extracted plain text is sent to the analysis provider, under a zero-retention, no-training policy. Your original files are never transmitted. We do not sell your data and we do not use your document content for advertising.


Infrastructure and subprocessors

The hosted service runs on a small, well-scoped set of providers. Each processes data only for the purpose listed below.

ProviderPurposeRegion
DigitalOceanHosting and encrypted file storageUnited States
AnthropicText-only document analysis, zero retention, no trainingUnited States
ResendTransactional and verification emailUnited States

Monitoring and activity logging

Before every document analysis call, we record an entry in a keyed activity log: the timestamp, the user, the document, the operation, the number of bytes sent, and a keyed HMAC-SHA-256 hash of the prompt. The hash lets the log be verified without storing the full prompt text, and the keyed signature makes entries tamper-resistant.

We collect no telemetry and run no tracking of any kind. There is no analytics vendor and no phone-home mechanism in the product.


Compliance roadmap

  • SOC 2 Type II: in progress.
  • Independent penetration test: scheduled.

We do not display badges or certifications we have not yet earned.


Reliability

Data is protected by encrypted backups with a defined recovery process. A public status page is planned.


Responsible disclosure

If you believe you have found a security issue, please report it to security@flowmanual.com. We will acknowledge your report and keep you updated as we investigate. Our contact details are also published at /.well-known/security.txt.


Request documentation

A security overview and our data processing terms are available on request. Email security@flowmanual.com and tell us what your review process needs.


Deployment options

Hosted cloud is the default and fits almost every customer. For organizations whose policy requires the software to run inside their own environment, a self-hosted deployment is available: the same product in a Docker container on your own server, with your files and encryption key staying on your infrastructure.