Flowtrace is a company analytics tool which integrates with other communication and collaboration tools such as Slack, Google Workspace, Microsoft Graph, Jira and GitHub to name a few.
This document will outline on high level how your data is managed by Flowtrace:
Authentication - how we ensure your data is accessed only by people permitted to do so
Data security - how we ensure your data stays safe now, and in future
Risk management - how we build security and risk assessment as part of our day to day work
Compliance - how we show our commitment and compliance to protect your data
Preface - Security of your data
Security of your data is our priority. We strive and continually improve to maintain industry-leading security and privacy practices. If you have any specific concerns beyond the scope of this page, please contact us at firstname.lastname@example.org
Flowtrace conducts an audit annually to maintain all compliance related standards. To find out more about this and GDPR compliance please contact us.
We know who your users are and when they access our platform
Auth0 (by Okta) - Flowtrace's login provider
We use Auth0 to provide us with highest grade security and functionality to authenticate our user to our platform. You can access further security and compliance information from their website. Auth0 provides us with SSO capabilities via 3rd party people directories you control.
Single-sign-on with Google via Auth0 (SSO)
You can elect to use Google as an authentication provider via Auth0 to ensure your user access is always up to date with your corporate policies.
Single-sign-on with Slack via Auth0 (SSO)
You can elect to use Slack as an authentication provider via Auth0 to ensure your user access is always up to date with your corporate policies.
Single-sign-on with Microsoft via Auth0 (SSO)
You can elect to use Microsoft as an authentication provider via Auth0 to ensure your user access is always up to date with your corporate policies.
AWS Cognito and Federated Identities
Access to our platform is secured with AWS Cognito. All traffic to our platform, and client information databases requires an authenticated user via Auth0, federated to AWS Cognito Federated Identity pools. These identities are used to ensure no-one can access our APIs without secure authentication session. This ensures our security is layered and protected in most robust scenarios protected by best in class authentication mechanisms.
OAuth2 Integration - Access to your data from 3rd parties
Wherever possible, we use OAuth 2.0 to access data from your integrations – it’s a widely accepted standard flow for securing authorizing 3rd-parties such as Flowtrace to access your data in other SaaS tools. Generally, this means that you may revoke our access to your data from those tools at any time.
Access to our production infrastructure is tightly restricted to senior personnel, who must have strong passwords and utilize Multi-Factor Authentication.
Data Security - Encryption
All data is encrypted at rest. This service is provided and managed by AWS DynamoDB. This applies to all our backups which are managed by AWS Backup.
Encryption at-transit and HTTPS
All data you exchange with Flowtrace is transmitted over SSL. Data we collect from 3rd-party services on your behalf is also fetched/received over SSL (when available).
If you have any concern about how we secure a specific data source, please contact us via email@example.com
Data Security - Data Privacy Best Practices
Limit processing to meta-data
We don’t read your email! Wherever possible, we only analyze meta-data about your work – not the content of the work itself. This means, for example, that for a Google Drive file, we store data such as the title and who edited it, but not the content of the file itself. Thus if our systems were ever compromised, your work content would remain secure – as we never store a copy of the work.
This is the same for meetings, chat communication and other collaboration through digital tools, we do not store the contents of any private communication.
Our application is architected to run on top of platform-as-a-service infrastructure. We deploy our application as small bundle of source code and configuration files into sandboxed container that are distributed across standardized, hardened virtual machines. The containers and virtual servers are maintained and operated by Amazon Web Servers (AWS). This greatly limits potential intrusion points. You aren’t depending on us to keep components such as kernels, web-servers, packages, etc up-to-date with the latest security patches – trust is provided by AWS.
We don’t store sensitive payment information
We use Stripe for all payments and subscriptions to the Flowtrace platform. Stripe is a certified PCI Level 1 Service Provider, to process payments you make through Flowtrace. We don’t retain any customer payment information.
Separation of Responsibilities
All source code that processes your data is subject to review, requiring sign-off from a platform developer before it can be deployed into our production environment. We operate distinct production, staging, and development stacks of infrastructure, to enable robust testing of our application before it touches your data.
Secure Software Development Lifecycle
At Flowtrace the security is built into our software development process. Every time we undertake a project, extend a feature, fix defects, an assessment of the security implications and risks are undertaken. You can contact us for further information about our SSDLC via firstname.lastname@example.org.
Security, Audits and Testing
The Flowtrace platform undergoes regular security, vulnerability, and automated penetration testing, at the application and infrastructure-levels. The security, privacy, and risk assessment is incorporated into our secure software development lifecycle (SSDLC) and.
Enhanced Automated Security Scans
We use automated scanning tools to continually scan our application for potential vulnerabilities. We seek for leaked secrets, vulnerabilities, 3rd party library vulnerabilities and do this at the deployment time, and in real time in our cloud environment.
More information relating to our testing may be obtained via email@example.com.
We perform annual internal audits for compliance with our security policies, data piracy and procedures. These audits drive continuous improvement in our practices.
If you require any additional information on our data and security practices, please contact us via firstname.lastname@example.org
6th November 2023