Security & data posture
How we secure your data.
UK-hosted, encrypted in transit and at rest, authentication that doesn't depend on remembered passwords, audit trail on every change. The boring stuff, done right.
Hosting
PropFlow's database, authentication, and file storage are hosted in the UK / EEA region. Customer data stays within UK / EEA jurisdiction by configuration.
Encryption
In transit: TLS 1.2+ on every connection. HSTS preload enabled. No HTTP fallback for any authenticated request.
At rest: AES-256 encryption on all stored data.
Authentication
Sign in by magic link (email) by default. Password sign-in available for operators who prefer it. Turnstile CAPTCHA on every auth-bearing form protects against credential stuffing and automated abuse.
Access control & audit trail
PropFlow uses Row-Level Security (RLS) at the Postgres layer. Authorisation is enforced by the database itself — not just by the application. A bug in the API layer cannot leak another organisation's data, because the database refuses to return it.
Every change is attributed to a user with a trace ID propagated through the request lifecycle. The audit log is read-only for end users and backs the court-ready evidence pack.
Backups & recovery
Point-in-time recovery is enabled. We can restore the database to any moment in the recent past. Backups are stored within the UK / EEA region.
Responsible disclosure
Found a vulnerability? We'd like to know. Email security@propflow-ai.co.uk with a description, repro steps, and your preferred disclosure timeline.
We don't pay bounties (yet), but we credit reporters in our security advisories unless they request anonymity.
Built with the audit in mind from day one.
Try it free, or get in touch if you'd like to know more.