FluxiSign in

Security Overview

Last updated: 2026-04-17

1. Infrastructure

  • Hosting: cloud infrastructure hosted in the European Union on SOC 2 Type II certified providers.
  • Data residency: customer data is stored within the EU. Limited data may be processed outside the EU by AI providers under appropriate safeguards (see Sub-processors below).
  • Backups: automated backups with point-in-time recovery.

2. Encryption

  • In transit: all connections protected with modern TLS.
  • At rest: data encrypted using industry-standard algorithms.
  • Sensitive credentials: OAuth tokens and API keys are encrypted before storage.

3. Authentication and access control

  • Industry-standard authentication with secure session management.
  • Passwords protected with modern password hashing.
  • Role-based access control (owner, admin, member, viewer).
  • Multi-factor authentication available.

4. Multi-tenant isolation

Fluxi enforces strict tenant isolation at the database level. Every request is automatically scoped to the authenticated user's workspace. Cross-tenant data access is prevented by design.

5. Sub-processors

Fluxi uses a limited set of sub-processors for infrastructure, AI processing, and email delivery. The up-to-date list is provided to customers under our Data Processing Agreement (DPA) and is available on request at security@fluxilabs.com.

Transfers to sub-processors located outside the EEA are protected by Standard Contractual Clauses (SCCs). We notify customers of material changes to the sub-processor list at least 30 days in advance.

6. Integration security

  • All third-party integrations use OAuth 2.0 where available.
  • OAuth tokens and API keys are encrypted and scoped per user and workspace.
  • Integrations request only the minimum permissions required.
  • Users can revoke access at any time.

7. Application security

  • Input validation on all endpoints.
  • Protection against common web vulnerabilities (OWASP Top 10).
  • Security headers and transport-layer protections.
  • Rate limiting on authentication and sensitive endpoints.
  • Regular dependency scanning and security reviews.

8. AI security

Fluxi's AI features are protected by dedicated controls over inputs and outputs to detect and prevent abuse, including content-injection attacks. Sensitive actions the AI can take are rate-limited and monitored. Controls apply consistently across any AI provider we use.

9. Monitoring and incident response

  • Continuous monitoring of errors and anomalies.
  • Security audit trail for platform activity; personal identifiers are not stored in clear text.
  • Incident response process with customer notification within 72 hours, in accordance with GDPR.
  • Periodic review and testing of security controls.

10. Data retention and deletion

  • Customer data retained for the duration of the account.
  • Account deletion triggers data removal within 30 days.
  • Security audit data retained for a limited period, then pruned.
  • Legal retention obligations (e.g., invoicing records) are preserved as required by law.

11. Compliance

  • GDPR (EU General Data Protection Regulation).
  • LOPDGDD (Spanish Data Protection Law).
  • Critical sub-processors hold SOC 2 Type II attestations.

12. Contact

For security questions, sub-processor list requests, or to report a vulnerability, email security@fluxilabs.com.