Security
Your CRM data, protected.
Security is foundational to FlowRouter, not an afterthought. Every architectural decision — from how we authenticate to how we store data — is made with the protection of your CRM data as the first priority.
Principles
Security by design
Four principles guide every decision we make about how your data is handled.
Minimum access
OAuth with minimal scopes. We only request the HubSpot permissions strictly necessary for routing operations — nothing more.
Encryption everywhere
TLS 1.2+ for all data in transit. AES-256 encryption at rest. OAuth access tokens are encrypted separately with dedicated key management.
Complete audit trail
Every action is logged. Every routing decision is traceable. Full transparency into who did what, when, and why.
Your data, your control
We never access data outside routing operations. You can export or permanently delete your data at any time, no questions asked.
Infrastructure
Built on a secure foundation
Enterprise-grade infrastructure that you can rely on for your most critical routing operations.
Modern cloud infrastructure
Hosted on industry-leading cloud providers with multi-region redundancy and automated failover.
SOC 2 Type II (in progress)
We are actively pursuing SOC 2 Type II certification. Our controls are designed to meet Trust Services Criteria.
Regular penetration testing
Third-party security firms conduct regular penetration tests and vulnerability assessments.
99.9% uptime SLA
Enterprise-grade availability with proactive monitoring, alerting, and incident response procedures.
Data residency options
Choose where your data is stored to meet regional compliance requirements and data sovereignty laws.
HubSpot Integration
Secure by default with OAuth
The connection between FlowRouter and HubSpot is built on OAuth 2.0, giving you full control over what we can access.
Minimum scopes requested
We request only the HubSpot OAuth scopes required for routing: contacts, companies, deals, and owners. No marketing, CMS, or account-level admin access.
Token refresh handled securely
OAuth tokens are refreshed automatically using encrypted refresh tokens. Tokens are never logged, and short-lived access tokens limit exposure windows.
No password storage
FlowRouter uses OAuth 2.0 exclusively. We never see, ask for, or store your HubSpot password. Authentication is handled entirely by HubSpot.
Revoke access anytime
Disconnect FlowRouter from your HubSpot portal at any time through HubSpot's Connected Apps settings. Revocation is immediate and permanent.
Compliance
Meeting the standards that matter
We take regulatory compliance seriously and build it into our platform from the ground up.
SOC 2
Our systems and processes are designed to meet SOC 2 Trust Services Criteria for security, availability, and confidentiality. Certification is in progress.
GDPR
FlowRouter supports GDPR requirements including data access requests, right to erasure, data portability, and lawful basis for processing.
CCPA
California Consumer Privacy Act compliance is built in. We honor opt-out requests, provide transparency into data collection, and never sell personal data.
Have a security question?
We welcome security inquiries and are committed to responding promptly. We also maintain a responsible disclosure program for security researchers.
For responsible disclosure, please include reproduction steps and allow us 90 days before public disclosure.