Flowtrace is a company analytics tool which integrates with other communication and collaboration tools such as Slack, Google Workspace, Microsoft Graph, Jira and GitHub to name a few.

This document will outline on high level how your data is managed by Flowtrace:

Security of your data is our priority. We strive and continually improve to maintain industry-leading security and privacy practices. If you have any specific concerns beyond the scope of this page, please contact us at support@flowtrace.co

Flowtrace conducts an audit annually to maintain all compliance related standards. To find out more about this and GDPR compliance please contact us.

Flowtrace infrastructure is provided by Amazon Web Servers (AWS), You can read more details relating to AWS security, compliance and privacy here.

We know who your users are and when they access our platform

We use Auth0 to provide us with highest grade security and functionality to authenticate our user to our platform. You can access further security and compliance information from their website. Auth0 provides us with SSO capabilities via 3rd party people directories you control.

You can elect to use Google as an authentication provider via Auth0 to ensure your user access is always up to date with your corporate policies.

You can elect to use Slack as an authentication provider via Auth0 to ensure your user access is always up to date with your corporate policies.

You can elect to use Microsoft as an authentication provider via Auth0 to ensure your user access is always up to date with your corporate policies.

Access to our platform is secured with AWS Cognito. All traffic to our platform, and client information databases requires an authenticated user via Auth0, federated to AWS Cognito Federated Identity pools. These identities are used to ensure no-one can access our APIs without secure authentication session. This ensures our security is layered and protected in most robust scenarios protected by best in class authentication mechanisms.

Wherever possible, we use OAuth 2.0 to access data from your integrations – it’s a widely accepted standard flow for securing authorizing 3rd-parties such as Flowtrace to access your data in other SaaS tools. Generally, this means that you may revoke our access to your data from those tools at any time.

Access to our production infrastructure is tightly restricted to senior personnel, who must have strong passwords and utilize Multi-Factor Authentication.

All data is encrypted at rest. This service is provided and managed by AWS DynamoDB. This applies to all our backups which are managed by AWS Backup.

All data you exchange with Flowtrace is transmitted over SSL. Data we collect from 3rd-party services on your behalf is also fetched/received over SSL (when available).

If you have any concern about how we secure a specific data source, please contact us via support@flowtrace.co

We don’t read your email! Wherever possible, we only analyze meta-data about your work – not the content of the work itself. This means, for example, that for a Google Drive file, we store data such as the title and who edited it, but not the content of the file itself. Thus if our systems were ever compromised, your work content would remain secure – as we never store a copy of the work.

This is the same for meetings, chat communication and other collaboration through digital tools, we do not store the contents of any private communication.

Our application is architected to run on top of platform-as-a-service infrastructure. We deploy our application as small bundle of source code and configuration files into sandboxed container that are distributed across standardized, hardened virtual machines. The containers and virtual servers are maintained and operated by Amazon Web Servers (AWS). This greatly limits potential intrusion points. You aren’t depending on us to keep components such as kernels, web-servers, packages, etc up-to-date with the latest security patches – trust is provided by AWS.

We use Stripe for all payments and subscriptions to the Flowtrace platform. Stripe is a certified PCI Level 1 Service Provider, to process payments you make through Flowtrace. We don’t retain any customer payment information.

All source code that processes your data is subject to review, requiring sign-off from a platform developer before it can be deployed into our production environment. We operate distinct production, staging, and development stacks of infrastructure, to enable robust testing of our application before it touches your data.

At Flowtrace the security is built into our software development process. Every time we undertake a project, extend a feature, fix defects, an assessment of the security implications and risks are undertaken. You can contact us for further information about our SSDLC via support@flowtrace.co.

The Flowtrace platform undergoes regular security, vulnerability, and automated testing, at the application and infrastructure-levels. The security, privacy, and risk assessment is incorporated into our secure software development lifecycle (SSDLC).

We use automated scanning tools to continually scan our application for potential vulnerabilities. We seek for leaked secrets, vulnerabilities, 3rd party library vulnerabilities and do this at the deployment time, and in real time in our cloud environment.

More information relating to our testing may be obtained via support@flowtrace.co.

We perform annual internal audits for compliance with our security policies, data piracy and procedures. These audits drive continuous improvement in our practices.

If you require any additional information on our data and security practices, please contact us via support@flowtrace.co

Last updated
​
6th November 2023