Our security program is guided by a small number of clear principles applied consistently across the product and the systems used to run it.
■01
Least-privilege access
Every user and service account is granted only the permissions their role requires. We avoid broad defaults, review access grants when roles change, and revoke permissions that are no longer needed.
■02
Defense in depth
No single control protects everything. We layer safeguards across identity management, application-level authorization, data encryption, network boundaries, and operational monitoring so that a failure in one layer does not expose the system.
■03
Consistent controls
The security standards we apply to the customer-facing product are the same ones we apply to internal tools, CI/CD pipelines, and the infrastructure used to build and operate Underflow. There is no separate, lower bar for internal systems.
■04
Continuous improvement
Our security posture is not static. We use findings from customer security reviews, internal audits, penetration testing, and incident postmortems to identify gaps and strengthen controls on an ongoing basis.
Your data, handled carefully
We protect customer information across transmission, storage, and credential handling.
■01
Encrypted in transit
All data moving between users, third-party integrations, and the Underflow platform is encrypted using TLS. This applies to API calls, webhook payloads, email connections, and browser sessions without exception.
■02
Secrets handled securely
API keys, OAuth tokens, and other sensitive credentials are encrypted at rest and stored separately from application data. Access to secrets is scoped to specific services and environments, and credentials are rotated on a defined schedule.
■03
Tenant isolation
Each customer's data is logically isolated at the database level. Queries are scoped to the authenticated tenant, and there is no mechanism for one account to access another's data. Isolation is enforced in the application layer and validated through automated testing.
■04
No AI training on your data
We do not use customer data to train, improve, or develop general-purpose AI or machine learning models. This is contractually enforced in our Cloud Service Agreement and Data Processing Agreement.
■05
US data residency
All customer data is stored and processed in the United States. Every subprocessor we use is US-based. We do not transfer data outside the US without prior written consent.
■06
Privacy and transparency
Our Privacy Policy and Terms of Service are publicly available and written in plain language. We document what data we collect, how it is used, and how customers can request access or deletion.
Security is how we operate
Monitoring, issue response, and vulnerability handling are built into how we run the product every day.
■01
Monitoring and alerting
We run continuous monitoring across application performance, error rates, and infrastructure health. Alerts are routed to on-call engineers with defined escalation paths so that anomalies are investigated in minutes, not hours. Real-time system status is available at status.useunderflow.com.
■02
Issue response
When a security event is identified, we follow a documented incident response process: contain the issue, investigate root cause, remediate, and communicate with affected customers. Postmortems are conducted for significant incidents to prevent recurrence.
■03
Vulnerability management
Reported vulnerabilities are triaged by severity and exploitability, patched on a priority basis, and tracked through resolution. We run periodic dependency audits and penetration tests to surface issues before they are reported externally.
■04
Customer security review
We support customer security reviews as a standard part of procurement. This includes providing documentation, answering questionnaires, and making relevant team members available for calls.
Know exactly who to contact
We keep direct paths open for security reports, privacy questions, and legal requests.
■01
Security reports
Send vulnerability reports or security questions to security@useunderflow.com. Every report is acknowledged within one business day.
■02
Privacy and legal
Data access requests, privacy questions, and legal inquiries go to legal@useunderflow.com.
■03
Trust Center
Our Trust Center is the central hub for security documentation, compliance artifacts, and customer review workflows. Access key materials without needing to go through a sales process.
Common questions, straight answers
What security, IT, and procurement teams typically want to know before they sign off.
