Security is not a feature we added. It's how AuditFlo is built.
All data is encrypted at rest and in transit. Encryption keys are rotated on a defined schedule.
TOTP-based MFA is available for all accounts. Accounts are locked after repeated failed login attempts.
Every piece of data is scoped to its tenant. All tenants are fully isolated and your data is never accessible to another organization on the platform.
All user actions and security events are written to an append-only log. Records cannot be modified or deleted, giving you a reliable chain of custody for every audit.
A Software Bill of Materials (SBOM) is generated on every production deploy and scanned against the OSV and npm advisory databases. High and critical findings block the build.
AuditFlo has been assessed against eight industry-standard threat frameworks including MITRE ATT&CK, STRIDE, and CVSS. Findings are tracked and resolved before feature work proceeds.
We welcome responsible disclosure. Reach out before going public and we'll acknowledge within 48 hours and resolve confirmed issues within 30 days.