Security at Flotick

How we protect your data and privacy — encryption, SOC 2 ready infrastructure, continuous monitoring, and full user controls.

Last Updated: June 17, 2026

1. Data Encryption

All data transmitted to and from Flotick is encrypted using industry-standard TLS 1.3 (Transport Layer Security) to protect data in transit. We use AES-256 encryption at rest to ensure your sensitive information remains secure even within our databases. This includes:

  • Encryption in Transit: All connections use TLS 1.3 with strong cipher suites. We enforce HTTPS across all endpoints and automatically redirect HTTP traffic.
  • Encryption at Rest: All stored data, including database backups and file storage, is encrypted using AES-256-GCM.
  • Key Management: Encryption keys are managed using cloud provider key management services with automatic rotation and strict access controls.

2. Infrastructure Security

Our infrastructure is hosted on world-class cloud providers with rigorous security certifications and audits:

  • SOC 2 Type II: Our hosting provider maintains SOC 2 Type II compliance, demonstrating effective controls for security, availability, and confidentiality.
  • ISO 27001: Infrastructure providers are ISO 27001 certified, ensuring systematic management of sensitive information.
  • Network Isolation: Production systems run in isolated virtual private clouds (VPCs) with strict network segmentation and firewall rules.
  • DDoS Protection: Multi-layer DDoS mitigation at the network, application, and infrastructure levels.
  • Backup and Recovery: Automated daily backups with point-in-time recovery capabilities and regular disaster recovery testing.

3. Access Controls

We implement comprehensive access controls to protect your data:

  • Multi-Factor Authentication (MFA): Required for all internal system access and available for all user accounts.
  • Role-Based Access Control (RBAC): Granular permissions ensure users and team members only access resources necessary for their role.
  • Principle of Least Privilege: All access is granted on a need-to-know basis with regular access reviews.
  • Session Management: Secure session tokens with automatic expiration and the ability to revoke sessions.
  • API Security: OAuth 2.0 and API key authentication with rate limiting and request signing.

4. Continuous Monitoring

We maintain a comprehensive security monitoring program to detect and respond to threats in real-time:

  • Real-Time Monitoring: 24/7 monitoring of infrastructure, applications, and network traffic with automated alerting.
  • Vulnerability Scanning: Automated daily scans of code dependencies, container images, and infrastructure configurations.
  • Penetration Testing: Regular third-party penetration testing and internal security assessments.
  • Log Aggregation: Centralized logging with immutable audit trails for all system and user activities.
  • Threat Intelligence: Integration with threat intelligence feeds to stay ahead of emerging vulnerabilities.

5. Incident Response

We maintain a documented incident response plan that is regularly tested and updated:

  • Response Team: Dedicated security team with clear escalation procedures and defined roles.
  • 24/7 Coverage: On-call rotation ensures security incidents are addressed promptly at any time.
  • User Notification: Affected users are notified of security incidents within 72 hours as required by GDPR and other regulations.
  • Post-Incident Review: All incidents undergo thorough root cause analysis with documented remediation actions.

6. Data Privacy and Compliance

We are committed to protecting your privacy and complying with applicable data protection regulations:

  • GDPR Compliance: Full support for data subject rights including access, rectification, erasure, and data portability.
  • Data Minimization: We collect only the data necessary to provide and improve our service.
  • Data Residency: Data is stored in compliant data centers with options for regional data residency where required.
  • Privacy by Design: Privacy considerations are embedded throughout our development lifecycle.

7. User Controls

We provide users with robust controls over their data:

  • Data Export: Export all your data in standard formats (JSON, CSV) at any time.
  • Account Deletion: Permanently delete your account and all associated data with a single action.
  • Audit Logs: Enterprise customers can access detailed audit logs of all account activity.
  • Privacy Settings: Granular controls over data sharing and communication preferences.

8. Responsible Disclosure

We value the work of security researchers and operate a responsible disclosure program. If you believe you've found a security vulnerability in Flotick, please contact us at security@flotick.com. We commit to:

  • Acknowledging receipt of your report within 24 hours.
  • Providing an estimated timeline for remediation within 5 business days.
  • Keeping you informed throughout the remediation process.
  • Crediting researchers (with permission) in our security advisories.

9. Security Certifications

Our security program aligns with industry best practices and standards:

  • SOC 2 Type II compliance (in progress)
  • ISO 27001 alignment for information security management
  • OWASP Top 10 compliance in all web applications
  • Regular third-party security audits and assessments

10. Contact Us

For security-related inquiries or to report a vulnerability: