How myflow protects customer data.

Hosting and network

myflow production workloads run in data centres located inside the European Union. We use Tier-3+ providers with redundant power, cooling and network paths, ISO 27001 certified at the facility level.

• All traffic to and from myflow is encrypted with TLS 1.2 or higher; HTTP requests are redirected to HTTPS at the edge.
• Customer data at rest is encrypted with AES-256 on managed storage volumes and object storage.
• Internal services communicate over a private network; databases are not exposed to the public internet.
• Cloudflare sits in front of our public surface for DDoS mitigation, WAF rules and bot management.

Access control

Production access is limited to a small number of named engineers on a least-privilege basis. Every administrative account is protected with multi-factor authentication; shared accounts are not used.

• Access is reviewed when team members join, change role or leave.
• Production credentials are stored in a centrally-managed secret manager, never in source control.
• SSH and database access goes through audited bastions; sessions are logged.
• Customer support agents do not have raw database access. Tools that allow viewing customer accounts for support purposes are scoped and audited.

Application security

Security is part of how myflow is built, not a layer bolted on afterwards.

• Dependencies are continuously scanned for known vulnerabilities; high-severity issues are patched on a defined SLA.
• Static analysis runs on every change, with security-relevant rules enabled.
• Authentication uses industry-standard password hashing; session tokens are rotated and bound to the user agent.
• We follow OWASP guidance for the common web vulnerability classes (XSS, CSRF, SSRF, injection, IDOR) and review for these during code review.

Vulnerability management

We welcome reports from security researchers. If you believe you've found a vulnerability in myflow, please email oliver@myflow.se. We'll acknowledge within two business days and keep you updated.

• Coordinated disclosure: we ask researchers to give us a reasonable window to fix issues before publishing.
• Out of scope: denial-of-service, social engineering of staff, physical attacks, and vulnerabilities in third-party software not configured by myflow.

Endpoint and people security

• Employee laptops are managed: full-disk encryption is enforced, screens auto-lock, and OS/patch levels are monitored.
• All employees and contractors with access to production sign a confidentiality agreement and complete security training on hire and annually thereafter.
• Background checks are conducted where legally permitted.

Incident response

We maintain a documented incident response process covering detection, triage, containment, eradication, recovery and post-incident review. Customers affected by a security incident involving their data will be notified without undue delay and given the information needed to meet their own regulatory obligations.

Logging and monitoring

• Application, infrastructure and access logs are centralised and retained for at least 30 days.
• Anomaly detection alerts on suspicious authentication patterns.
• Logs are stored separately from production with stricter access controls so a compromise of production does not erase the audit trail.