Built secure
from the ground up
Security is not an afterthought at FlowXIQ. Every layer of the platform — from how passwords are stored to how API credentials are encrypted — is designed to protect your business data.
Last reviewed: July 1, 2025How we protect your data
These are the specific technical controls we apply to every FlowXIQ account and workspace.
All POS API keys, tokens, and credentials stored in FlowXIQ are encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys) before being written to the database. Decryption occurs only in memory at the moment of use and only on authenticated, authorized server-side operations.
User passwords are never stored in plaintext or with reversible encryption. We use bcrypt with a work factor of 12 rounds, which produces a salted, adaptive hash resistant to brute-force and rainbow table attacks. Even in the event of a database breach, passwords cannot be recovered.
Authentication sessions are stored in encrypted, signed HTTP-only cookies. The cookie payload contains only a session identifier — no user data. Cookies are flagged HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), and SameSite=Lax to prevent CSRF attacks.
All traffic to and from FlowXIQ is encrypted in transit using TLS 1.2/1.3 enforced by Vercel's global edge network. HTTP connections are automatically redirected to HTTPS. We support HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
All data stored in Turso (LibSQL) is encrypted at rest using industry-standard encryption at the storage layer. This means that even physical access to the underlying storage infrastructure would not expose readable data without the encryption keys.
FlowXIQ enforces a strict no-plaintext policy for all sensitive values. POS API credentials, passwords, and session tokens are never logged, never stored in environment-variable-accessible strings at runtime beyond memory, and never transmitted unencrypted. Server logs are scrubbed of sensitive fields.
Secure by design
Our infrastructure choices are intentional security decisions, not just technical defaults.
Deployed on Vercel's globally distributed infrastructure with automatic DDoS mitigation, edge caching, and WAF (Web Application Firewall) capabilities.
Turso provides a distributed SQLite database with replication, point-in-time recovery, and storage-level encryption. Data is replicated across regions for resilience.
Production, staging, and development environments are fully isolated with separate credentials, databases, and access controls. No production data is used in testing.
We run automated dependency vulnerability scanning on every build and regularly audit our npm dependency tree for known CVEs.
What we will never do
These are absolute commitments, not just policy statements.
Responsible Disclosure
We welcome security researchers and members of the public to responsibly disclose any security vulnerabilities they discover in FlowXIQ. We take all reports seriously and commit to:
- ✓Acknowledge your report within 2 business days
- ✓Investigate and respond with our findings within 10 business days
- ✓Keep you informed of our remediation progress
- ✓Credit you (if desired) in our security acknowledgments upon fix
- ✓Not pursue legal action for good-faith security research
Please do not exploit vulnerabilities to access or modify data beyond what is needed to demonstrate the issue. Do not perform automated scanning at scale or conduct denial-of-service testing against production systems.
Report a Security Issue
Found a vulnerability or security concern? Please report it privately to our security team. We review all reports and respond promptly.
security@flowxiq.comFor general support inquiries, please use the contact form instead.