ClientFlow
Security First

Professional-grade security

Your data security is our top priority. We implement industry-standard security measures to protect your business and your customers' information. All data is hosted in Germany within the European Union on Hetzner infrastructure.

Active
Monitoring
<72h
Breach Notification
TLS 1.3
Transport Encryption
GDPR
Compliance

Data protection

Encryption at Rest

Encrypted

Database volumes are encrypted at rest at the infrastructure layer. Sensitive credentials and payment tokens are additionally encrypted at the application layer before storage.

Encryption in Transit

TLS 1.3

All data transmitted between your browser and our servers is encrypted using TLS 1.3 with modern cipher suites.

OAuth 2.0 Authentication

OAuth 2.0

We use industry-standard OAuth 2.0 with Google, Facebook, and Apple for secure authentication. No passwords stored.

JWT Token Security

Rotating

Access tokens expire after 1 hour. Refresh tokens are rotated on each use and can be revoked instantly.

Infrastructure Security

ISO 27001 (DC)

Hosted on Hetzner in Germany. Hetzner data centres are ISO 27001 certified and provide enterprise-level physical security and DDoS mitigation at the network edge.

Database Backups

Backups

PostgreSQL backups are taken before every production deployment and migration. Backups are stored on protected volumes and retained for rapid rollback.

Security practices

Error Monitoring

Application errors and failed authentication attempts are logged and monitored via Sentry to detect anomalies early.

Regular Updates

Dependencies and systems are regularly updated to address security vulnerabilities and maintain best practices.

Access Controls

Per-user data isolation and role-based access control (RBAC) ensure team members only access data necessary for their role.

Internal Code Review

Code changes go through internal security review with automated tooling (Bandit, dependency scanning) before release.

Compliance & certifications

GDPR Compliant

  • Data processing agreements
  • Right to access & deletion
  • Data portability
  • Breach notification

PCI DSS

  • Secure payment processing via iyzico
  • No card data stored
  • Tokenised transactions
  • Fraud protection

Incident response

Our commitment

In the unlikely event of a security incident affecting your data, we commit to:

  • Notifying affected users within 72 hours of discovery
  • Providing clear information about what data was affected
  • Taking immediate steps to contain and remediate the incident
  • Conducting thorough post-incident reviews

Report a vulnerability

We appreciate responsible disclosure. If you discover a security vulnerability, please report it to us at contact@clientflow.centre

We will acknowledge receipt within 24 hours and work with you to understand and address the issue promptly.

Related documents

Privacy PolicyData Processing AgreementTerms of Service