Security at Flowqen

Your form data is sensitive. Here's exactly how we protect it — no vague promises, just specifics.

Infrastructure

  • Hosted on Vercel's edge network with automatic DDoS protection
  • MongoDB Atlas with encryption at rest (AES-256) and in transit (TLS 1.2+)
  • All API traffic served over HTTPS — HTTP is automatically redirected
  • Automated daily backups with point-in-time recovery
  • Infrastructure deployed across multiple availability zones

Application Security

  • Passwords hashed with bcrypt (12 rounds) — never stored in plain text
  • JWT-based authentication with short-lived tokens and secure HttpOnly cookies
  • CSRF protection on all state-changing endpoints
  • Rate limiting on authentication and submission endpoints
  • Input validation and sanitization on all API inputs
  • CORS configured per-form to prevent unauthorized cross-origin requests

Spam & Abuse Protection

  • Cloudflare Turnstile integration (privacy-friendly CAPTCHA alternative)
  • Honeypot fields for invisible bot detection
  • Configurable rate limits per form
  • File upload validation (type, size, count limits)

Data Privacy

  • We do not sell or share your submission data with third parties
  • Submission data is only sent to integrations you explicitly configure
  • Form owners can delete individual submissions or entire forms at any time
  • Account deletion removes all associated data
  • Optional password-protected forms for sensitive data collection

Access Controls

  • Role-based access: Owner, Admin, Member roles per organization
  • API keys scoped per user with revocation support
  • Agency accounts with isolated client workspaces
  • Audit-ready submission logs with timestamps

Compliance

  • GDPR-ready: data export, deletion, and consent mechanisms
  • CCPA-compliant: honors Do Not Sell requests
  • Data Processing Agreement (DPA) available for Business plans
  • Cookie-free form endpoints — no tracking cookies set on respondents

Responsible Disclosure

Found a security vulnerability? Please email us at security@flowqen.com. We take every report seriously and will respond within 48 hours.

Privacy Policy →Data Processing Agreement →Acceptable Use Policy →