Security

Built secure
from the ground up

Security is not an afterthought at FlowXIQ. Every layer of the platform — from how passwords are stored to how API credentials are encrypted — is designed to protect your business data.

Last reviewed: July 1, 2025
All systems operational
FlowXIQ enforces encryption at every layer: in transit (TLS 1.3), at rest (AES-256 + Turso storage encryption), and for all sensitive credentials stored in the database.

Core Security Measures

How we protect your data

These are the specific technical controls we apply to every FlowXIQ account and workspace.

🔑
AES-256 Encryption for POS CredentialsAES-256-GCM

All POS API keys, tokens, and credentials stored in FlowXIQ are encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys) before being written to the database. Decryption occurs only in memory at the moment of use and only on authenticated, authorized server-side operations.

🔐
bcrypt Password Hashing (12 Rounds)bcrypt r=12

User passwords are never stored in plaintext or with reversible encryption. We use bcrypt with a work factor of 12 rounds, which produces a salted, adaptive hash resistant to brute-force and rainbow table attacks. Even in the event of a database breach, passwords cannot be recovered.

🍪
Encrypted Session CookiesHttpOnly · Secure

Authentication sessions are stored in encrypted, signed HTTP-only cookies. The cookie payload contains only a session identifier — no user data. Cookies are flagged HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), and SameSite=Lax to prevent CSRF attacks.

🌐
HTTPS-Only via Vercel TLSTLS 1.3

All traffic to and from FlowXIQ is encrypted in transit using TLS 1.2/1.3 enforced by Vercel's global edge network. HTTP connections are automatically redirected to HTTPS. We support HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.

🗄️
Database Encryption at RestTurso / LibSQL

All data stored in Turso (LibSQL) is encrypted at rest using industry-standard encryption at the storage layer. This means that even physical access to the underlying storage infrastructure would not expose readable data without the encryption keys.

🚫
No Plaintext Sensitive DataZero Plaintext

FlowXIQ enforces a strict no-plaintext policy for all sensitive values. POS API credentials, passwords, and session tokens are never logged, never stored in environment-variable-accessible strings at runtime beyond memory, and never transmitted unencrypted. Server logs are scrubbed of sensitive fields.


Infrastructure

Secure by design

Our infrastructure choices are intentional security decisions, not just technical defaults.

Vercel Edge Network

Deployed on Vercel's globally distributed infrastructure with automatic DDoS mitigation, edge caching, and WAF (Web Application Firewall) capabilities.

Turso Distributed Database

Turso provides a distributed SQLite database with replication, point-in-time recovery, and storage-level encryption. Data is replicated across regions for resilience.

Environment Isolation

Production, staging, and development environments are fully isolated with separate credentials, databases, and access controls. No production data is used in testing.

Dependency Auditing

We run automated dependency vulnerability scanning on every build and regularly audit our npm dependency tree for known CVEs.


Our Commitments

What we will never do

These are absolute commitments, not just policy statements.

Store passwords in plaintext or with reversible encryption
Log POS API credentials, tokens, or session keys
Transmit sensitive data over unencrypted connections
Share your order data or business data with third parties for advertising
Use your Customer Data to train AI/ML models
Access your account or data without your explicit authorization or a valid legal order

Vulnerability Reporting

Responsible Disclosure

We welcome security researchers and members of the public to responsibly disclose any security vulnerabilities they discover in FlowXIQ. We take all reports seriously and commit to:

  • Acknowledge your report within 2 business days
  • Investigate and respond with our findings within 10 business days
  • Keep you informed of our remediation progress
  • Credit you (if desired) in our security acknowledgments upon fix
  • Not pursue legal action for good-faith security research

Please do not exploit vulnerabilities to access or modify data beyond what is needed to demonstrate the issue. Do not perform automated scanning at scale or conduct denial-of-service testing against production systems.

🛡️

Report a Security Issue

Found a vulnerability or security concern? Please report it privately to our security team. We review all reports and respond promptly.

security@flowxiq.com

For general support inquiries, please use the contact form instead.