How we protect customer audit data, who we share it with, and where we are on our independent-assurance roadmap. This page is updated as the underlying controls change — every claim here corresponds to code that ships in our production environment today, unless explicitly marked as roadmap.
Time-based one-time codes (TOTP) with single-use bcrypt-hashed backup codes. Compatible with any authenticator app.
12-character minimum, 3-of-4 character classes, common-password blocklist, and a no-personal-information rule. NIST 800-63B aligned.
5-attempt threshold, 15-minute cooldown. Every attempt is logged with IP and user agent and surfaced to tenant admins.
30-minute idle timeout, 12-hour absolute cap. Session cookies carry HttpOnly + Secure + SameSite=Lax in production.
Enterprise customers can restrict sign-ins to corporate networks or VPN ranges. Off by default; opt-in per workspace.
Every privileged action is recorded into an append-only log with a SHA-256 hash chain. Silent DB-level tampering becomes detectable.
TLS 1.2+ on every endpoint, HSTS with a 1-year max-age, strict Content-Security-Policy, and a deny-by-default permissions policy.
Daily digest to the workspace owner when we detect lockouts, IP-enumeration sweeps, or distributed brute-force patterns.
Self-serve admin export of every field we hold about a user, and one-click anonymisation that preserves history under redacted placeholders.
We're being transparent: we are pre-revenue on independent assurance reports, and we'd rather show you where we are than overclaim.
Controls foundation in place — access management, audit logging, change management documented. Auditor selection in progress.
ISMS scope and statement of applicability drafted. Combined gap assessment alongside SOC 2 audit.
Currently single-region. Saudi / UAE / EU data residency available for enterprise tier on request.
These are the third parties who process customer data on our behalf. We will notify customers of any addition to this list with 30 days' advance notice.
| Provider | Purpose | Data hosted | Region |
|---|---|---|---|
| Render | Web application hosting + managed Postgres | All tenant data at rest | US East |
| OpenAI | AI-generated risk / finding / recommendation drafts | Audit content sent only when AI features are invoked | Multi-region (opt-out of training) |
| SMTP provider | Outbound system mail (activation, reset, distribution) | Recipient addresses + message bodies | Provider region |
If you believe you have found a vulnerability in AuditFlow, please email info@audit-flow.net. We aim to acknowledge within one business day. We do not currently operate a public bug-bounty programme but we credit responsible disclosure in this page's changelog.