Security & Trust Center

Your financial data isprotected at every layer

FlowSense is built with enterprise-grade security from day one. We handle financial data with the highest standards of encryption, access control, and privacy — and we will never use your data to train AI models.

TLS 1.3 Encryption
SOC 2 Infrastructure
Zero Data Training
GDPR Ready
PCI DSS Billing

AI & Your Data — Our Guarantee

What happens when Claude AI analyzes your financial data

What we DO
  • Your financial data is sent to Anthropic's Claude API solely to generate your insights and responses
  • All API calls are encrypted in transit using TLS 1.3
  • Data is processed ephemerally — Anthropic does not retain API inputs/outputs beyond the request
  • You can delete all your data at any time from your account settings
  • We only request the minimum financial data needed to generate your requested analysis
What we NEVER do
  • Use your financial data to train AI models — ever
  • Share your data with other FlowSense customers
  • Sell your data to third parties or data brokers
  • Store raw AI conversation data beyond 90 days
  • Allow Anthropic to use your data for model training (covered by their API terms)
  • Access your accounting software without your explicit authorization

Anthropic API Data Policy

FlowSense uses Anthropic's Claude API (not their consumer products). Under Anthropic's API Terms of Service, data submitted via the API is not used to train or improve their models. Your financial data is processed to generate your requested analysis and is not retained by Anthropic beyond the immediate API call. See Anthropic's Privacy Policy for full details.

Encryption & Data Protection

Your data is encrypted everywhere, all the time

In Transit

All data is encrypted using TLS 1.3 between your browser, our servers, and every third-party service we use.

At Rest

Your database is hosted on Supabase with AES-256 encryption at rest. OAuth tokens are additionally encrypted with your account's unique key.

OAuth Tokens

QuickBooks and Xero access tokens are individually encrypted using AES-256-GCM before storage. We never store your accounting credentials.

Infrastructure & Certifications

We build on providers with industry-leading compliance

VercelSOC 2 Type II

Our application is hosted on Vercel's edge network, which is SOC 2 Type II certified. Automatic HTTPS, DDoS protection, and global redundancy are included.

View security page →
SupabaseSOC 2 Type II

Your financial data is stored in Supabase's PostgreSQL infrastructure, which is SOC 2 Type II certified and runs on AWS with automated backups.

View security page →
ClerkSOC 2 Type II

Authentication, session management, and user identity are handled by Clerk, which is SOC 2 Type II certified. We never store or handle your passwords.

View security page →
StripePCI DSS Level 1

All payments are processed by Stripe, the highest-certified PCI DSS Level 1 payment processor. FlowSense never touches your credit card data.

View security page →

Access Control & Authentication

  • Multi-factor authentication (MFA) available via Clerk
  • Role-based access control — admin, member, and viewer roles
  • Session tokens expire automatically — no indefinite sessions
  • All API endpoints require authenticated sessions
  • OAuth integrations use short-lived tokens with automatic refresh
  • Webhook endpoints verified via HMAC signatures
  • Cron jobs protected by signed secrets
  • Rate limiting on all public endpoints

Privacy & Compliance

Your rights and our obligations

Your Rights

  • Access all data we hold about you at any time
  • Export your data in JSON format from your account settings
  • Request complete deletion of your account and all associated data
  • Revoke access to QuickBooks or Xero at any time
  • Opt out of AI digest emails in notification preferences

Our Practices

  • Data minimization — we only collect what is necessary
  • Transaction data retained for 90 days by default (configurable)
  • No third-party advertising or tracking pixels
  • GDPR-compliant data processing for EU customers
  • CCPA-compliant for California residents

Found a security issue?

We take security reports seriously. If you discover a vulnerability, please disclose it responsibly and we will respond within 24 hours. We do not pursue legal action against good-faith security researchers.

security@flowsense.app
BlogContact SecurityLast reviewed: March 2026