Security & Trust
Last Updated: April 20, 2026
FlowGuard monitors water-leak incidents at properties 24/7. That means we hold operational data on behalf of our customers — property addresses, contact phone numbers and emails, sensor telemetry, incident timelines, and response records. We treat that data with the same seriousness your property managers expect from their insurance and accounting systems.
This page is the honest, specific version of our security posture — no jargon, no vague "bank-grade encryption" claims. If something is in progress, we say so. If you want the technical deep dive before a contract, email mazen@flowguardprotection.com and we'll walk through any specific area.
Infrastructure
FlowGuard runs on established, enterprise-grade cloud providers. We do not operate our own servers.
- Application hosting: Vercel (SOC 2 Type II certified). Our customer dashboards, APIs, and public status page run on Vercel's edge network.
- Database & authentication: Supabase (SOC 2 Type II certified), which runs Postgres on AWS. Customer data lives in a US-region Postgres instance with automatic daily backups.
- Sensor telemetry ingestion: The Things Network for LoRaWAN uplinks — our sensors transmit over licensed LoRaWAN frequencies to ISP-independent gateways.
- Error tracking: Sentry (SOC 2 Type II certified). We capture production exceptions to respond to bugs faster; no customer PII is sent to Sentry.
- Alert delivery: Twilio for SMS and voice, Resend for email.
Encryption
- In transit: All customer-facing endpoints enforce TLS 1.3. HTTP requests are redirected to HTTPS; HSTS is enabled.
- At rest: Database and object storage are encrypted at rest by Supabase (AES-256).
- Sensor uplinks: Encrypted end-to-end between the sensor and our ingestion endpoint via LoRaWAN's built-in AppSKey/NwkSKey.
- Secrets: API keys, database credentials, and third-party tokens are stored in Vercel and Supabase environment-variable vaults, never committed to source control.
Authentication & Access Control
- Passwordless sign-in: Customer portal access uses email-link authentication (no reusable passwords to steal).
- Role-based access: Six roles (property manager, asset manager, regional manager, installer, ops manager, super admin) with row-level security enforced at the database layer — a property manager cannot query another property's data even with valid credentials.
- Internal access: Only the founder and explicitly-granted operators can view customer data, through an audited admin surface.
- MFA (two-factor authentication): Available on request today, rolling out as a standard option for all customers in 2026.
- SSO / SAML: Available on enterprise contracts. Email us for Okta / Azure AD / Google Workspace configuration.
Monitoring & Incident Response
We don't just monitor your properties — we monitor ourselves.
- Synthetic probes: Every 15 minutes, an automated probe fires through the full alerting pipeline (uplink ingest → incident creation → alert fanout → resolution) to verify it works end-to-end. Results are published at status.flowguardprotection.com.
- Background-job health: Every scheduled job (monthly reports, escalation timers, dry-confirmation resolution) reports liveness to an internal health table. A meta-check every 15 minutes pages the on-call engineer via SMS if any job goes silent.
- Error alerting: Sentry is configured with three alert rules (high- volume errors, new-issue first occurrence, regression) that email the on-call engineer in real time.
- Incident response: For platform outages, we follow a documented response process — identify, mitigate, notify affected customers, post-mortem. The public status page shows historical uptime.
Data Handling
- Data residency: All customer data is stored in the United States.
- Retention: Incident records are retained for 12 months for analytics and customer reporting. Contact information is retained for the duration of the service agreement. Upon termination, data is retained for 90 days before permanent deletion, unless longer retention is required by law.
- Deletion: Customers can request deletion of specific records or full account wipeout by emailing mazen@flowguardprotection.com.
- No ads, no selling data: We do not sell, rent, or share customer data with any third party for marketing or advertising purposes. Ever.
- Logs & metrics: Application logs contain operational context but are PII-redacted before being shipped to Sentry.
Subprocessors
FlowGuard uses the following subprocessors to deliver the service. All are contractually obligated to protect customer data with the same standards we commit to.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, auth, storage, edge functions | US |
| Vercel | Application hosting, edge delivery | Global edge (US-origin) |
| Twilio | SMS and voice alert delivery | US |
| Resend | Transactional email delivery | US |
| Sentry | Error tracking (PII-redacted) | US |
| The Things Network | LoRaWAN sensor uplink ingestion | US |
We'll notify customers in advance of material changes to this list.
Compliance
- SOC 2 Type II: Evidence collection in progress. Our infrastructure providers (Supabase, Vercel, Sentry) are already SOC 2 Type II certified.
- GDPR & CCPA: We respect data-subject rights regardless of where a customer is based. Access, correction, and deletion requests go to mazen@flowguardprotection.com.
- DPA (Data Processing Agreement): Available on request. See our DPA summary for terms.
Responsible Disclosure
If you believe you've found a security vulnerability in FlowGuard, please report it to mazen@flowguardprotection.com. We'll confirm receipt within 48 hours and keep you informed as we work on a fix.
Please do not publicly disclose until we've had a reasonable opportunity to address the issue. We appreciate the help.
Contact
FlowGuard Asset Protection
Security & compliance inquiries: mazen@flowguardprotection.com
Public status page: status.flowguardprotection.com