Security

How we keep your data safe.

The controls that protect your account, your payments, and the content you generate on Flovaly. Written honestly — we will tell you what we have done and, just as importantly, what we have not.

Encryption in transit

All traffic to flovaly.com is served over HTTPS with modern TLS (1.2 or higher). The application is hosted on Vercel’s edge network, which terminates TLS at the nearest point of presence. Internal calls between application services and our database, Redis queue, object storage, and AI providers are made over TLS-encrypted channels.

Encryption at rest

The primary database (Supabase, AWS EU West) encrypts data at rest using AES-256 at the storage layer. Generated images, videos, and audio are stored in Cloudflare R2, which encrypts objects at rest by default. Secrets are stored in Vercel and Railway environment variables, never committed to source control.

Authentication and account security

Authentication is provided by Supabase Auth. We support email-and-password sign-in (with a minimum strength requirement) and Google OAuth. Sessions are managed by short-lived JWTs with refresh tokens, set as httpOnly cookies. Sign-in events and session refreshes are logged. Failed attempts are subject to provider-level rate limiting.

Payments

Flovaly does not store cardholder data. All payment information is collected, processed, and stored by Stripe via Stripe Checkout and the Stripe Customer Portal. We operate within Stripe’s SAQ-A scope — meaning card data never touches a Flovaly server. Billing events reach our system only as webhooks over a verified signature.

Access control and separation

The customer-facing application and the internal administration surface run on separate routes and are gated by separate authorisation checks (an admin subdomain and an environment-controlled allow-list of admin emails). Database queries from the application use row-level scoping where applicable; queries to a user’s own data require that user’s authenticated session. Production access to infrastructure is limited to a small set of named individuals.

Generated content and your data

Generated content is private to the workspace that created it unless the creator explicitly publishes it to the community gallery. Flovaly staff do not view or download user-generated content except (a) where strictly required to debug a reported issue at the user’s request, (b) where required to investigate a reported violation of the Acceptable Use Policy, or (c) where required by law. We do not use customer content or prompts to train AI models.

Background workers and queues

AI generation jobs run on dedicated worker containers backed by a Redis queue. Workers communicate with AI providers (fal.ai, Kling, Replicate, ElevenLabs) over authenticated TLS endpoints. Failed jobs are auto-refunded to the user’s credit balance via an idempotent transaction so the same job cannot be refunded twice.

Monitoring and incident response

Application errors and unhandled exceptions are captured by Sentry across the Next.js application, the edge runtime, and the worker fleet. Critical alerts page the on-call engineer. In the event of a confirmed personal data breach affecting customer data, we will notify affected customers and, where required, the ICO within 72 hours of becoming aware, in line with UK GDPR Article 33 and our DPA.

Backups and recovery

The primary database is backed up daily by Supabase with point-in-time recovery retained on the provider’s rolling schedule. Object storage in Cloudflare R2 is durable by design and replicated within the provider’s network. Backup data is encrypted at rest and protected by the same access controls as production.

What we have not (yet) certified

Flovaly is an early-stage company and does not currently hold a SOC 2, ISO 27001, or HIPAA certification. We are happy to complete a reasonable security questionnaire for enterprise customers. Email general@flovaly.com for the latest control overview.

Responsible disclosure

If you believe you have found a security vulnerability in Flovaly, please report it to general@flovaly.com. We ask that you give us a reasonable opportunity to fix the issue before public disclosure, do not access data that is not your own beyond the minimum required to demonstrate the issue, and do not run automated scans that degrade the service for other users. We will acknowledge valid reports within two business days and keep you updated on remediation. We do not currently run a paid bug bounty programme but we publicly credit reporters who request it.

Contact

Security questions, vulnerability reports, and enterprise security review requests: general@flovaly.com.

Last updated: 2026-06-09