Fleqra
Log inStart free

Security

Last updated: May 14, 2026

Security isn't a feature — it's a foundation. This page describes how we actually protect your data, not aspirations. If a statement on this page is incorrect, email security@fleqra.com and we'll fix it.

Infrastructure

  • Hosted on AWS (us-east-1) — EC2, Postgres, SES, S3, behind Caddy with auto-renewing Let's Encrypt certificates
  • HTTPS everywhere via TLS 1.3; HSTS preload with 1-year max-age + includeSubDomains
  • Daily encrypted database backups to AWS S3 with 90-day retention, server-side encryption (AES-256), and object versioning enabled
  • Live backup-recency monitoring — every health-check poll verifies the latest S3 backup is < 26 hours old; a stale snapshot flips the public status badge at fleqra.com/status before customers notice

Data encryption

  • In transit: All traffic encrypted via TLS 1.3
  • At rest: Database disk encrypted via AWS EBS encryption
  • OAuth tokens: Encrypted with AES-256-GCM before storage
  • Passwords: Hashed with bcrypt (cost factor 12, never stored in plain text)
  • Payment data: Never touches our servers — handled entirely by Stripe (PCI-DSS Level 1)

Access controls

  • Multi-tenant isolation at the database row level — every query is scoped to your workspace via a mandatory agencyId filter, enforced by Prisma model relationships, not just the UI
  • Role-based permissions (Owner, Admin, Manager, Member, Viewer) with a calibrated per-action role table — destructive operations (delete campaign, delete form, delete pipeline stage) require Manager or Admin
  • Session lifetime: 8-hour idle, refreshed every hour, JWT-based, signed with a server-side secret never exposed to clients
  • Session revocation: all active sessions for a user can be invalidated by setting tokensValidAfter on the server — no AUTH_SECRET rotation needed, no support-ticket loop
  • Email verification and password reset flows; reset tokens are SHA-256-hashed at rest and single-use
  • Brute-force protection: failed sign-ins capped at 5 per 15 minutes per (email, IP)
  • SSH access to production servers restricted to known IPs only

Application security

  • CSRF protection on all state-changing operations
  • Input validation with Zod schemas on every endpoint
  • Parameterized queries via Prisma (SQL injection prevention)
  • Content Security Policy + Strict-Transport-Security + X-Content-Type- Options + Referrer-Policy + Permissions-Policy on every response
  • Webhook signature verification for Stripe events; replays are idempotent via a WebhookEvent dedupe table
  • Per-route rate limiting on authenticated APIs (Postgres-backed, 60 req/min default with per-endpoint overrides)
  • Regular dependency updates and vulnerability scanning

Observability

  • Structured server-side logger with automatic PII redaction (passwords, tokens, secrets stripped from log lines)
  • Sentry-backed error capture for unhandled exceptions in routes, server components, and middleware
  • Public, machine-readable health endpoint at /api/health reporting database, configuration, and backup status with response times
  • E2E smoke tests covering the public surface (landing, pricing, status, login, health) — runnable against production at any time

Email security

  • Outbound email signed with DKIM and validated against SPF / DMARC
  • AWS SES configuration set with bounce and complaint handling
  • Auto-suppression of bounced or complained-about addresses
  • Custom MAIL FROM domain (mail-from.fleqra.com)

Compliance & portability

  • GDPR Article 15 data portability: one-click export of your entire workspace (agencies, members, contacts, deals, campaigns, audit log) as a structured JSON file. Sensitive material (password hashes, OAuth access/refresh tokens) is stripped before export.
  • CCPA rights respected (delete, access, do-not-sell)
  • Immutable audit log: every sign-in, billing event, and admin action writes a row to ActivityLog with the actor, action, and timestamp — investigated through Settings → Audit log
  • AWS SOC 2 Type II certified infrastructure (hosting + email)
  • Stripe PCI-DSS Level 1 for payment processing

Incident response

If we discover a security incident affecting your data, we will notify affected users within 72 hours of confirmation, per GDPR requirements. We maintain runbooks for common incident scenarios.

Reporting vulnerabilities

Found a security issue? Email security@fleqra.com with details and a proof-of-concept if possible. We acknowledge reports within 2 business days and credit responsible reporters publicly with their permission.

Do not publicly disclose vulnerabilities until we have had reasonable time to fix them.

Contact

Security questions: security@fleqra.com