Skip to main content
Security & Data Protection

Your compliance data is protected.

We take security seriously. FileFlo uses bank-level encryption and enterprise-grade security measures to keep your sensitive compliance data safe.

By Chad Griffith·Founder & CEO·Reviewed June 4, 2026

AES-256 · TLS 1.3 · Per-tenant isolation · Anthropic Zero Data Retention

ZDR
Anthropic Zero Data Retention
Documents never train models
256-bit
AES Encryption
At rest · TLS 1.3 in transit
Per-Tenant
Data Isolation
Scoped to your organization
Procurement Summary

FileFlo security at a glance.

One-page snapshot for compliance officers, procurement, and IT reviewers. Forward this page or print it for your file.

Encryption
AES-256 at rest. TLS 1.3 in transit.
Data isolation
Per-tenant isolation; each customer's data is scoped to their organization.
Access controls
Role-based permissions, MFA, SSO support, audit logs of access and document actions.
AI & data retention
Anthropic Zero Data Retention (ZDR) is enabled. Customer documents are not used for model training.
SOC 2
Type II audit targeted Q4 2026 / Q1 2027. In development, not yet certified. Architecture and policies designed against SOC 2 controls.
HIPAA
Architecture designed against HIPAA technical safeguards. BAA available on Professional plans at attestation completion (target Q1 2027). Not yet HIPAA-certified.
Backups
Automated daily backups with 30-day retention. Point-in-time recovery available.
Support hours
Monday–Friday, 8 a.m.–6 p.m. Mountain Time. Email: chad@getfileflo.com.
Infrastructure
Hosted on AWS in U.S. regions. Built on Supabase (Postgres) with row-level security.
Sub-processors
AWS (hosting), Supabase (database), Stripe (billing), Anthropic (AI classification, ZDR enabled). Full list on request.

Need a security questionnaire response, DPA, or sub-processor list? Email chad@getfileflo.com. We respond within one business day, Monday–Friday MT.

The controls

Enterprise-grade security features.

Comprehensive security controls to protect your most sensitive data.

256-Bit Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256) using industry-standard encryption protocols.

SOC 2 Type II (Planned Q4 2026)

First SOC 2 Type II audit targeted for Q4 2026 / Q1 2027. Architecture and policies designed against SOC 2 controls; formal certification not yet started.

HIPAA (Planned Q1 2027)

HIPAA-aware architecture: AES-256 encryption, role-based access, audit logs, tenant data isolation. Formal HIPAA certification and BAAs available upon Q1 2027 attestation completion.

Role-Based Access Control

Granular permissions ensure employees only see data relevant to their role and responsibilities.

Secure Infrastructure

Hosted on AWS with automatic backups and disaster recovery protocols.

GDPR-Aware Data Handling

Data portability, right to deletion, and access controls designed against GDPR requirements. Formal GDPR audit attestation pending.

Roadmap

Security certifications.

We're committed to achieving the highest security standards.

SOC 2 Type II

Compliance certification

Planned Q4 2026 / Q1 2027

15% Complete

HIPAA

Compliance certification

Planned Q1 2027

10% Complete

GDPR

Compliance certification

Architecture in place

50% Complete

ISO 27001

Compliance certification

Planned Q3 2027

5% Complete

How we operate

Our security practices.

Comprehensive security measures at every layer.

Data Encryption

All data is encrypted at rest using AES-256 and in transit using TLS 1.3. We never store sensitive data in plain text.

Access Controls

Multi-factor authentication, SSO support, and role-based permissions ensure only authorized users can access data.

Data Backup

Automated daily backups with 30-day retention. Point-in-time recovery available for all customer data.

Monitoring

Automated threat detection and incident response protocols to protect customer data.

Compliance

We are building toward SOC 2 Type II and HIPAA. Today, we follow security best practices around data handling, access control, and audit logging.

Trust & reliability

Enterprise trust & reliability.

Security metrics you can count on.

ZDR
Anthropic Zero Data Retention
256-bit
AES Encryption
Per-Tenant
Data Isolation
The technical detail · for IT & compliance reviewers

How FileFlo handles your data.

FileFlo encrypts all data at rest with AES-256 and in transit with TLS 1.3, and never stores sensitive data in plain text. Each customer's data is held under per-tenant isolation, scoped to their organization, and the platform is built on Supabase (Postgres) with row-level security and hosted on AWS in U.S. regions. Access is governed by role-based permissions with multi-factor authentication and SSO support, so employees only see data relevant to their role; access and document actions are recorded in audit logs.

For AI classification, FileFlo uses Anthropic with Zero Data Retention (ZDR) enabled, so customer documents are not used for model training. The platform's sub-processors are AWS (hosting), Supabase (database), Stripe (billing), and Anthropic (AI classification, ZDR enabled), with the full list available on request. Customer data is protected by automated daily backups with 30-day retention and point-in-time recovery, and by automated threat detection and incident response protocols.

On certifications, FileFlo is building toward SOC 2 Type II and HIPAA. The first SOC 2 Type II audit is targeted for Q4 2026 / Q1 2027 (in development and not yet certified), with architecture and policies designed against SOC 2 controls. The architecture is also designed against HIPAA technical safeguards, with formal HIPAA certification and BAAs (available on Professional plans) at attestation completion targeted for Q1 2027. Data handling is designed against GDPR requirements (data portability, right to deletion, and access controls), with formal GDPR audit attestation pending, and an ISO 27001 effort planned for Q3 2027. Support is available Monday–Friday, 8 a.m.–6 p.m. Mountain Time at chad@getfileflo.com.

Have security questions?

Have specific security requirements or questions about our security practices?

Our security team is available to discuss your needs and provide detailed security documentation, security questionnaire responses, and BAAs for healthcare organizations (available on Professional plans at HIPAA attestation completion).