Security

Last updated: July 6, 2026

Engineers trust FlowingGas with real system designs. Here is how we protect that data.

Encryption

Access isolation

Customer data is stored in Postgres with row-level security enforced at the database layer: every query is scoped to the authenticated user, so one customer's models can never be returned to another. Billing state can only be modified by server-side functions — never directly by a client.

Authentication

Accounts are managed by Supabase Auth. Passwords are stored only as salted hashes and are never visible to us. Sessions use short-lived signed tokens.

Payments

All payments are processed by Stripe, a PCI-DSS Level 1 certified provider. Card numbers are entered directly into Stripe's hosted checkout and never pass through or reside on FlowingGas servers.

Infrastructure

FlowingGas runs on managed cloud infrastructure (Supabase) with automated backups. We keep our dependency surface small and apply security updates promptly.

Responsible disclosure

If you believe you have found a security vulnerability in FlowingGas, please email [email protected]. We will acknowledge your report within two business days, and we will not pursue legal action against good-faith research. Our disclosure policy is also published at /.well-known/security.txt.

Questions

Security questionnaires and enterprise reviews: contact [email protected] and we will respond promptly.