Security
Last updated: July 6, 2026
Engineers trust FlowingGas with real system designs. Here is how we protect that data.
Encryption
- All traffic between your browser and FlowingGas is encrypted with TLS.
- Customer data is encrypted at rest by our database provider.
Access isolation
Customer data is stored in Postgres with row-level security enforced at the database layer: every query is scoped to the authenticated user, so one customer's models can never be returned to another. Billing state can only be modified by server-side functions — never directly by a client.
Authentication
Accounts are managed by Supabase Auth. Passwords are stored only as salted hashes and are never visible to us. Sessions use short-lived signed tokens.
Payments
All payments are processed by Stripe, a PCI-DSS Level 1 certified provider. Card numbers are entered directly into Stripe's hosted checkout and never pass through or reside on FlowingGas servers.
Infrastructure
FlowingGas runs on managed cloud infrastructure (Supabase) with automated backups. We keep our dependency surface small and apply security updates promptly.
Responsible disclosure
If you believe you have found a security vulnerability in FlowingGas, please email [email protected]. We will acknowledge your report within two business days, and we will not pursue legal action against good-faith research. Our disclosure policy is also published at /.well-known/security.txt.
Questions
Security questionnaires and enterprise reviews: contact [email protected] and we will respond promptly.