Enterprise-grade security

Security at FiveFlow

Your data security is our top priority. We implement industry-leading security measures to protect your business and customer information.

CCPA Compliant
Google Cloud Infrastructure
Stripe PCI DSS
TLS 1.3 Encryption

How We Protect Your Data

Multiple layers of security at every level

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.

Infrastructure

Hosted on Google Cloud Platform with SOC 2 Type II and ISO 27001 certifications.

Access Control

Role-based access control (RBAC) with mandatory multi-factor authentication for all staff.

Monitoring

24/7 security monitoring, intrusion detection, and automated threat response.

Backups

Automated daily backups with point-in-time recovery. Backups encrypted and geo-redundant.

Incident Response

Documented incident response procedures with 1-hour response SLA for critical issues.

Compliance & Certifications

Meeting the highest industry standards

US Privacy Laws (CCPA)

Compliant

Full compliance with California Consumer Privacy Act and US privacy regulations

Google API Policy

Compliant

Adherent to Google API Services User Data Policy

PCI DSS

Via Stripe

Payment processing handled by Stripe (PCI Level 1 certified)

Infrastructure Security

Google Cloud

Built on Google Cloud Platform (SOC 2, ISO 27001 certified)

GDPR

Ready

Data protection measures aligned with EU requirements

Data Encryption

Active

AES-256 at rest, TLS 1.3 in transit

Security Practices

Secure Development

  • Code reviews required for all changes
  • Automated security scanning in CI/CD
  • Dependency vulnerability monitoring
  • Regular penetration testing

Employee Security

  • Background checks for all employees
  • Security awareness training
  • Principle of least privilege
  • Secure workstation policies

Data Protection

  • Data classification and handling policies
  • Encryption key management
  • Secure data deletion procedures
  • Regular access audits

Data Retention

We only keep your data as long as necessary

Data TypeRetention Period
Account InformationUntil account deletion + 30 days
Customer DataUntil you delete it or close account
Google Review DataSynced from Google, deleted on disconnect
SMS/Email Logs90 days
Usage Analytics12 months (anonymized after)
Payment Records7 years (legal requirement)

Breach Notification

Our commitment to transparency in the unlikely event of a security incident

In the unlikely event of a data breach:

1

Immediate Containment

We take immediate steps to contain and remediate the breach

2

72-Hour Notification

Affected users notified within 72 hours of discovery

3

Regulatory Reporting

Report to relevant regulatory authorities as required by applicable law

4

Clear Communication

Provide details on what data was affected and recommended actions

Google API Compliance

How we handle your Google Business data

Business Reviews

We read your Google Business reviews to display them in your dashboard and analytics. We never modify or delete reviews.

Reply Capability

With your permission, we can post review replies on your behalf. You always approve the reply content before it is posted.

Business Info

We access basic business info (name, address) to configure your review pages. We never modify your Google Business listing.

Google API Limited Use Disclosure

  • OAuth 2.0 authentication with AES-256-GCM encrypted token storage
  • Data is used only to provide review management features within FiveFlow
  • We do not sell, share, or transfer your Google data to any third party
  • All Google review data is deleted within 30 days of disconnecting your Google account

Responsible Disclosure Program

We welcome security researchers to report vulnerabilities responsibly. Valid reports are eligible for rewards up to $5,000.

Report a Vulnerability

security@fiveflow.io

Questions About Security?

Our security team is happy to answer questions and provide additional documentation.

Contact Security Team
Admin Access