Security at Floo

Floo handles sensitive financial data. We treat security as a core product requirement, not an afterthought. This page explains exactly how we protect your data and our systems.

Infrastructure security

• ✓
  Cloud hosting on Render — Our infrastructure runs on Render, which maintains SOC 2 Type II compliance and provides automatic security updates, DDoS protection, and isolated compute environments.
• ✓
  Database isolation — Customer data is stored in a dedicated PostgreSQL database with row-level access controls. No shared database tables across customers.
• ✓
  Secure secret management — API keys, database credentials, and tokens are stored as encrypted environment variables, never in source code.
• ✓
  Automatic backups — Database backups run daily. In the event of data loss, we can restore to within 24 hours of the incident.

Application security

• ✓
  Password hashing — All passwords are hashed using bcrypt with a work factor of 12. We store only the hash — even Floo staff cannot see or recover your password.
• ✓
  Session security — Session tokens are cryptographically random, expire on logout, and are bound to HTTPS-only cookies with SameSite protection.
• ✓
  Password reset tokens — Reset tokens expire after 60 minutes and are invalidated immediately after use. They are single-use only.
• ✓
  SQL injection prevention — All database queries use parameterised statements. No raw SQL is constructed from user input.
• ✓
  Input validation — All user input is validated and sanitised on both the client and server side before processing.

Gmail access — how it works

Floo connects to your Gmail account using Google's OAuth 2.0 protocol. This means:

• ✓
  You never give us your Google password. You grant access through Google's own secure consent screen.
• ✓
  Read-only access only. Our OAuth scope only permits reading emails. We cannot send emails, delete emails, or modify anything in your inbox.
• ✓
  Revocable at any time. You can revoke Floo's access to your Gmail at any time from your Google Account settings at myaccount.google.com.
• ✓
  We only read bank alert emails. Our system filters by sender address — we only read emails from the bank alert addresses you configure. All other emails are ignored.

Third-party security

Floo uses the following trusted third-party services, each with their own security certifications:

• Twilio — ISO 27001 certified, SOC 2 Type II compliant. Used for WhatsApp alert delivery.
• SendGrid (Twilio) — ISO 27001 certified. Used for transactional email.
• Paystack — PCI DSS Level 1 compliant. Used for payment processing. We never store card data.
• Render — SOC 2 Type II compliant. Used for hosting.
• Anthropic (Claude) — Enterprise-grade AI with strict data handling policies. Used for transaction analysis.

What we do NOT do

• We do not sell your data to anyone
• We do not share your financial data with advertisers
• We do not store your bank login credentials
• We do not have the ability to move, transfer, or authorise transactions on your behalf
• We do not access emails beyond bank alert emails from addresses you configure

Reporting a security issue

If you discover a security vulnerability in Floo, please email us immediately at hello@tryfloo.com with the subject line "Security Vulnerability". We take all reports seriously and will investigate within 24 hours. We ask that you do not publicly disclose the issue until we have had the opportunity to address it.

We are grateful to security researchers who help us keep Floo safe and will acknowledge your contribution if you choose.