Your compliance data is protected.
We take security seriously. FileFlo uses bank-level encryption and enterprise-grade security measures to keep your sensitive compliance data safe.
AES-256 · TLS 1.3 · Per-tenant isolation · Anthropic Zero Data Retention
FileFlo security at a glance.
One-page snapshot for compliance officers, procurement, and IT reviewers. Forward this page or print it for your file.
- Encryption
- AES-256 at rest. TLS 1.3 in transit.
- Data isolation
- Per-tenant isolation; each customer's data is scoped to their organization.
- Access controls
- Role-based permissions, MFA, SSO support, audit logs of access and document actions.
- AI & data retention
- Anthropic Zero Data Retention (ZDR) is enabled. Customer documents are not used for model training.
- SOC 2
- Type II audit targeted Q4 2026 / Q1 2027. In development, not yet certified. Architecture and policies designed against SOC 2 controls.
- HIPAA
- Architecture designed against HIPAA technical safeguards. BAA available on Professional plans at attestation completion (target Q1 2027). Not yet HIPAA-certified.
- Backups
- Automated daily backups with 30-day retention. Point-in-time recovery available.
- Support hours
- Monday–Friday, 8 a.m.–6 p.m. Mountain Time. Email: chad@getfileflo.com.
- Infrastructure
- Hosted on AWS in U.S. regions. Built on Supabase (Postgres) with row-level security.
- Sub-processors
- AWS (hosting), Supabase (database), Stripe (billing), Anthropic (AI classification, ZDR enabled). Full list on request.
Need a security questionnaire response, DPA, or sub-processor list? Email chad@getfileflo.com. We respond within one business day, Monday–Friday MT.
Enterprise-grade security features.
Comprehensive security controls to protect your most sensitive data.
256-Bit Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256) using industry-standard encryption protocols.
SOC 2 Type II (Planned Q4 2026)
First SOC 2 Type II audit targeted for Q4 2026 / Q1 2027. Architecture and policies designed against SOC 2 controls; formal certification not yet started.
HIPAA (Planned Q1 2027)
HIPAA-aware architecture: AES-256 encryption, role-based access, audit logs, tenant data isolation. Formal HIPAA certification and BAAs available upon Q1 2027 attestation completion.
Role-Based Access Control
Granular permissions ensure employees only see data relevant to their role and responsibilities.
Secure Infrastructure
Hosted on AWS with automatic backups and disaster recovery protocols.
GDPR-Aware Data Handling
Data portability, right to deletion, and access controls designed against GDPR requirements. Formal GDPR audit attestation pending.
Security certifications.
We're committed to achieving the highest security standards.
SOC 2 Type II
Compliance certification
15% Complete
HIPAA
Compliance certification
10% Complete
GDPR
Compliance certification
50% Complete
ISO 27001
Compliance certification
5% Complete
Our security practices.
Comprehensive security measures at every layer.
Data Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. We never store sensitive data in plain text.
Access Controls
Multi-factor authentication, SSO support, and role-based permissions ensure only authorized users can access data.
Data Backup
Automated daily backups with 30-day retention. Point-in-time recovery available for all customer data.
Monitoring
Automated threat detection and incident response protocols to protect customer data.
Compliance
We are building toward SOC 2 Type II and HIPAA. Today, we follow security best practices around data handling, access control, and audit logging.
Enterprise trust & reliability.
Security metrics you can count on.
How FileFlo handles your data.
FileFlo encrypts all data at rest with AES-256 and in transit with TLS 1.3, and never stores sensitive data in plain text. Each customer's data is held under per-tenant isolation, scoped to their organization, and the platform is built on Supabase (Postgres) with row-level security and hosted on AWS in U.S. regions. Access is governed by role-based permissions with multi-factor authentication and SSO support, so employees only see data relevant to their role; access and document actions are recorded in audit logs.
For AI classification, FileFlo uses Anthropic with Zero Data Retention (ZDR) enabled, so customer documents are not used for model training. The platform's sub-processors are AWS (hosting), Supabase (database), Stripe (billing), and Anthropic (AI classification, ZDR enabled), with the full list available on request. Customer data is protected by automated daily backups with 30-day retention and point-in-time recovery, and by automated threat detection and incident response protocols.
On certifications, FileFlo is building toward SOC 2 Type II and HIPAA. The first SOC 2 Type II audit is targeted for Q4 2026 / Q1 2027 (in development and not yet certified), with architecture and policies designed against SOC 2 controls. The architecture is also designed against HIPAA technical safeguards, with formal HIPAA certification and BAAs (available on Professional plans) at attestation completion targeted for Q1 2027. Data handling is designed against GDPR requirements (data portability, right to deletion, and access controls), with formal GDPR audit attestation pending, and an ISO 27001 effort planned for Q3 2027. Support is available Monday–Friday, 8 a.m.–6 p.m. Mountain Time at chad@getfileflo.com.
Have security questions?
Have specific security requirements or questions about our security practices?
Our security team is available to discuss your needs and provide detailed security documentation, security questionnaire responses, and BAAs for healthcare organizations (available on Professional plans at HIPAA attestation completion).