Security Overview

Data Model & Protection

• Customer data stays in your environment. ContextFlo connects to your warehouse and executes work there. We only persist derived outputs and operational metadata required to run the product.
• What we store includes connection secrets (e.g., warehouse credentials, OAuth refresh tokens) needed to connect to your systems, configuration and metadata (integration settings, derived metric definitions, run status), and operational telemetry (service logs and health metrics) with sensitive fields redacted.
• Encryption at rest: All stored credentials and tokens are encrypted with AES-256-GCM at the application layer before they reach the database, using per-record IVs and versioned keys. Encrypted rows remain encrypted in backups.
• Encryption in transit: All communication between browsers, APIs, and services is over HTTPS, enforced by our managed hosting platform.
• Key management: Encryption keys are generated and stored within restricted infrastructure, accessible only to a small set of trusted operators. Keys are rotated manually on a defined schedule and on incident.

Authentication & Access Controls

• OAuth-based authentication: Users authenticate via OAuth with supported identity providers. We do not store or transmit plaintext passwords.
• Session security: Sessions are server-side and bound to HTTP-only cookies. Sensitive actions may require re-authentication.
• Authorization model: Each org defines access groups that own rules scoped to tables, schemas, or entire namespaces. Rules can ALLOW or DENY specific resources, with DENY always taking precedence.
• Evaluation: Users inherit the union of rules from every group they belong to; if no allow rule matches, the request is denied. Sensitive endpoints (credential management, schema browsing, query execution) all consult the same evaluator before returning data.
• Default patterns: Deployments typically keep a baseline allow-all group plus narrower groups that deny or re-allow specific datasets, making exceptions explicit without widening scope unintentionally.
• Enforcement surface: The web UI, APIs, and MCP server enforce the same rules so hidden tables never appear in autocomplete, responses, or LLM prompts. All policy edits are audited.
• Reference: The evaluator spec and operational runbook live at contextflo.com/docs/access-control so teams can review the full rule syntax without duplicating content here.
• Production access: Limited to named engineers using hardware-backed MFA; all access is logged centrally.

Monitoring & Secure Operations

• Logging & alerts: Application and infrastructure logs stream to a central platform with detections for auth anomalies, webhook signature failures, and unusual error rates. Secrets (tokens, passwords) are redacted before ingestion.
• Release hygiene: Dependency scanning, automated tests, and code review precede releases; security fixes are prioritized by severity.
• Platform health: Uptime, job execution, and background tasks are continuously monitored with on-call paging for prolonged failures.

Vulnerability Management & Disclosure

• Continuous scanning: Automated dependency scanning (e.g., pnpm audit, Dependabot) runs continuously; critical findings are addressed promptly.
• External testing: ContextFlo will introduce regular third-party security testing as we expand the platform. Findings from these assessments will be triaged and fully tracked through remediation.
• Responsible disclosure: Report suspected vulnerabilities to [email protected]. We acknowledge within two business days and coordinate on validation and remediation.

Governance & Subprocessors

ContextFlo’s security program is guided by established industry frameworks such as SOC 2 and ISO 27001, and our controls are designed with these principles in mind as the platform evolves. Our Data Processing Agreement and Privacy Policy describe data handling, transfer mechanisms, and data-subject rights. We evaluate subprocessors for security posture and publish a current list at at contextflo.com/legal/subprocessors. Customers are notified of material changes.

Customer Responsibilities

To get the most from our shared-responsibility model, customers should:

• Enforce least-privilege access within your organization and rotate credentials regularly.
• Monitor your environment and warehouse activity for suspicious behavior.
• Connect only data that complies with your legal and contractual obligations.
• Notify [email protected] immediately if you suspect a security issue.

Credentials & Token Practices (Summary)

• Stored: OAuth refresh tokens, access tokens when required for connector/session operations, and required API/warehouse credentials—encrypted at rest. Access tokens remain short-lived even when stored.
• Redaction: Secrets are excluded from logs and analytics.
• Rotation: Operators rotate encryption keys manually on a regular schedule and upon incident.
• Revocation: Customers can revoke integrations at any time; ContextFlo honors provider revocation endpoints immediately upon disconnect or suspected compromise.