Data Security & Retention Policy

🛡️ Our Security Commitment

At FlowCMS, data security is not an afterthought—it is foundational to our architecture. We operate under a Privacy by Design and Security by Default philosophy, ensuring that every layer of our platform, from infrastructure to application logic, is engineered to protect your content and metadata.

We treat all customer data with the highest degree of care, implementing industry-leading practices to prevent unauthorized access, data loss, and system compromise. Our security posture is continuously audited, updated, and validated through third-party assessments.

🔐 Encryption & Data Protection

All data transmitted between your devices, APIs, and FlowCMS infrastructure is encrypted using TLS 1.3. We enforce strict transport security and support HSTS to prevent downgrade attacks.

At rest, all content, media assets, database records, and backup archives are encrypted using AES-256. Encryption keys are managed via dedicated HSM-backed key management services and are rotated on a regular schedule. We never use your data for training AI models or sharing with third parties without explicit consent.

🔑 Access Control & Authentication

We enforce granular Role-Based Access Control (RBAC) across all team workspaces. Administrators can define custom roles with precise permissions for content creation, editing, publishing, and system configuration.

• Multi-Factor Authentication (MFA): Enforced for admin accounts; recommended for all users. Supports TOTP, hardware keys, and WebAuthn.
• SSO & SAML 2.0: Enterprise customers can integrate with Okta, Azure AD, OneLogin, and other identity providers.
• Audit Logging: Every action within your workspace is logged immutably, including login events, content changes, role updates, and API usage.
• IP Allowlisting: Restrict workspace access to approved IP ranges for enhanced network security.

🗄️ Data Retention & Deletion Policy

FlowCMS retains your data only as long as necessary to provide services and comply with legal obligations. You maintain full ownership of your content and metadata.

Standard Retention Cycles

• Active Data: Retained indefinitely while your account remains active.
• Soft Deletes: Removed content stays in a 30-day recovery window before permanent deletion.
• Backups: Incremental backups retained for 7 days, full backups for 30 days. Enterprise tier offers 90-day and 365-day backup retention options.
• Account Closure: Upon cancellation, all data is scheduled for permanent deletion within 30 days. Expedited deletion is available upon request.

✅ Compliance & Certifications

FlowCMS maintains rigorous compliance standards to meet global regulatory requirements and enterprise procurement policies.

We publish our compliance reports and audit summaries privately to verified customers and partners upon request.

🚨 Incident Response & Transparency

FlowCMS operates a 24/7 Security Operations Center (SOC) with dedicated threat monitoring, anomaly detection, and automated incident response playbooks.

• Detection & Containment: Automated systems isolate compromised components within minutes of threat identification.
• Notification: Affected customers are notified within 24 hours of a confirmed data security incident via email and status dashboard.
• Post-Mortem: Full incident reports, including root cause analysis and remediation steps, are published within 72 hours.
• Bug Bounty: We maintain a responsible disclosure program for security researchers. Submissions are welcomed via our security contact.

📧 Security & Compliance Contact

For security inquiries, compliance documentation requests, or responsible vulnerability disclosures, please contact our dedicated security team:

• Security Team Email: security@flowcms.io
• Encryption Key Rotation Requests: support@flowcms.io
• DPA & Compliance Portal: Available in your workspace under Settings → Compliance

We respond to security disclosures within 24 hours and prioritize critical vulnerabilities for immediate patching.