Our Commitment
CustomerFlows is trusted by home service businesses to manage their customer relationships, lead data, and business communications. We take that trust seriously. This page describes the technical and organizational security measures we implement to protect your data and your customers' data.
1. Infrastructure Security
1.1 Hosting and Data Residency
- Cloud provider: CustomerFlows is hosted on enterprise-grade cloud infrastructure in the United States
- Data residency: All customer data is stored and processed within the United States. We do not transfer or store data in data centers outside the U.S., except for WhatsApp message delivery which transits through Meta's global infrastructure
- Redundancy: Production systems are deployed across multiple availability zones to ensure high availability
- Uptime target: We target 99.9% uptime for the CustomerFlows application
1.2 Network Security
- Firewalls: Network-level firewalls restrict access to production systems to only necessary ports and protocols
- DDoS protection: Distributed denial-of-service mitigation is enabled at the edge network layer
- Intrusion detection: Automated monitoring systems detect and alert on anomalous network activity
- Network segmentation: Production, staging, and development environments are isolated from each other
1.3 Physical Security
Our cloud infrastructure providers maintain physical security controls including 24/7 monitoring, biometric access controls, and environmental protections (fire suppression, climate control, uninterruptible power). CustomerFlows does not operate its own data centers.
2. Data Protection
2.1 Encryption
2.2 Database Security
- Access controls: Database access is restricted to application services and authorized personnel only. No direct database access is available to end users
- Parameterized queries: All database queries use parameterized statements to prevent SQL injection attacks
- Connection encryption: All connections to the database are encrypted using TLS
- Automated backups: Daily automated backups with a 30-day retention period. Backups are encrypted and stored separately from production databases
2.3 Data Isolation
Each CustomerFlows account's data is logically isolated. Row-level security ensures that users can only access data belonging to their own account. Team members within an account can only access data permitted by their assigned role.
3. Application Security
3.1 Authentication
- Password requirements: Minimum 8 characters. Passwords are hashed using bcrypt with a salt before storage. We never store plaintext passwords
- OAuth 2.0: Google OAuth is available as an alternative authentication method
- Session management: Sessions are managed with secure, HTTP-only cookies with SameSite attributes. Sessions expire after inactivity
- Multi-factor authentication (MFA): Available for all accounts. We recommend enabling MFA for all team members
3.2 Authorization
- Role-based access control (RBAC): Account owners can assign roles to team members (Owner, Admin, Member, Viewer) with granular permissions for pipeline access, contact management, and settings
- API key security: API keys (Scale tier) are scoped to specific permissions and can be revoked at any time. API keys should never be embedded in client-side code
3.3 Secure Development
- Code review: All code changes undergo peer review before deployment
- Dependency management: Automated scanning for known vulnerabilities in third-party dependencies
- Input validation: All user inputs are validated and sanitized on both client and server
- CSRF protection: Cross-site request forgery tokens are enforced on all state-changing requests
- Content Security Policy: CSP headers restrict the sources of scripts, styles, and other resources to prevent cross-site scripting (XSS) attacks
- Rate limiting: API and authentication endpoints are rate-limited to prevent brute-force attacks
4. WhatsApp and Messaging Security
4.1 WhatsApp Business API
- End-to-end encryption: WhatsApp messages between your business and your customers are encrypted end-to-end by WhatsApp's protocol. CustomerFlows interacts with the WhatsApp Business API, which provides access to message content for chatbot processing and CRM integration
- Meta compliance: Our WhatsApp integration complies with Meta's WhatsApp Business API Terms and WhatsApp Business Policy
- Template approval: All outbound marketing and utility message templates are submitted to Meta for approval before use, ensuring compliance with WhatsApp's messaging policies
4.2 Message Storage
- WhatsApp conversation content is stored in our encrypted database to provide conversation history, chatbot context, and deal card records
- Message content is accessible only to the account that owns the conversation
- When a contact is deleted, associated conversation history is permanently removed
5. Payment Security
- PCI compliance: All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. CustomerFlows never receives, processes, or stores complete credit card numbers on our servers
- Billing data: We store only the last four digits of your card number and the card brand for display purposes in your billing settings
6. Organizational Security
6.1 Employee Access
- Access to production systems and customer data is restricted on a need-to-know basis
- All employees and contractors with access to customer data are bound by confidentiality agreements
- Access is reviewed quarterly and revoked immediately upon role change or departure
- Administrative access to production systems requires multi-factor authentication
6.2 Security Training
- All team members receive security awareness training upon onboarding and annually thereafter
- Training covers phishing recognition, secure coding practices, data handling procedures, and incident response
6.3 Vendor Management
- Third-party vendors and sub-processors are evaluated for security practices before engagement
- Vendors with access to customer data are required to maintain security measures at least as protective as those described in this document
- A current list of sub-processors is maintained in our Data Processing Agreement
7. Incident Response
7.1 Detection and Response
We maintain an incident response plan that includes:
- Monitoring: Automated alerting for security anomalies, unauthorized access attempts, and system health
- Triage: Incidents are classified by severity (Critical, High, Medium, Low) and escalated accordingly
- Containment: Immediate steps to contain the incident and prevent further exposure
- Investigation: Root cause analysis to understand the scope and impact
- Remediation: Corrective actions to resolve the vulnerability and prevent recurrence
- Communication: Notification to affected customers in accordance with our Data Processing Agreement and applicable laws
7.2 Breach Notification
In the event of a data breach affecting your data, we will notify you within 72 hours of becoming aware of the breach, as described in our Data Processing Agreement.
8. Business Continuity
8.1 Backups
- Frequency: Automated daily backups of all production data
- Storage: Encrypted backups stored in geographically separated U.S. locations
- Retention: 30-day rolling retention for production backups
- Testing: Backup restoration is tested quarterly
8.2 Disaster Recovery
- Recovery Point Objective (RPO): 24 hours — in a disaster scenario, you may lose up to 24 hours of data
- Recovery Time Objective (RTO): 4 hours — we target full service restoration within 4 hours of a disaster declaration
- Failover: Critical services can fail over to secondary infrastructure in a different availability zone
9. Your Security Responsibilities
Security is a shared responsibility. We recommend the following for all CustomerFlows users:
- Use strong, unique passwords for your CustomerFlows account. Do not reuse passwords from other services
- Enable multi-factor authentication for all team members, especially account owners and admins
- Review team access regularly. Remove team members who no longer need access. Use the most restrictive role appropriate for each team member's function
- Protect your API keys (Scale tier). Never embed API keys in client-side code, public repositories, or shared documents. Rotate keys if you suspect compromise
- Keep your browser updated. Use a modern, supported browser to ensure you benefit from the latest security features
- Be vigilant about phishing. CustomerFlows will never ask for your password via email. If you receive a suspicious email claiming to be from CustomerFlows, forward it to [email protected]
10. Vulnerability Disclosure
If you discover a security vulnerability in the CustomerFlows platform, we encourage responsible disclosure:
- Email: [email protected]
- Include: A description of the vulnerability, steps to reproduce, and any supporting evidence (screenshots, logs)
- Response time: We will acknowledge your report within 2 business days and provide an initial assessment within 5 business days
- Recognition: We appreciate security researchers who help us improve our platform. With your permission, we will acknowledge your contribution publicly
Please do not:
- Access or modify other users' data as part of your research
- Perform denial-of-service testing
- Send unsolicited messages to other users
- Publicly disclose the vulnerability before we have had a reasonable opportunity to address it
11. Compliance
12. Contact
For security-related inquiries:
- Security reports: [email protected]
- Privacy questions: [email protected]
- General support: [email protected]
- Company: Keilani Media Group LLC
- Address: 30 N Gould St, Ste R, Sheridan, WY 82801, United States