Security Policy

Last updated: December 12, 2025

Our Commitment to Security

At Flocod, security is our top priority. We implement industry-leading security measures to protect your code, data, and privacy. This page outlines our security practices and how we safeguard your information.

Infrastructure Security

  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
  • Cloud Infrastructure: Hosted on secure, SOC 2 compliant cloud providers with 99.9% uptime SLA
  • Regular Backups: Automated daily backups with point-in-time recovery capabilities
  • Network Security: Firewall protection, DDoS mitigation, and intrusion detection systems
  • Isolation: Each user's environment is isolated to prevent unauthorized access

Authentication & Access Control

  • Secure password hashing using bcrypt with salt
  • Two-factor authentication (2FA) available for all accounts
  • Session management with automatic timeout after inactivity
  • Role-based access control (RBAC) for team features
  • OAuth 2.0 integration for third-party authentication

Application Security

  • Regular security audits and penetration testing
  • Automated vulnerability scanning of dependencies
  • Input validation and sanitization to prevent injection attacks
  • CSRF protection on all state-changing operations
  • Content Security Policy (CSP) headers to prevent XSS attacks
  • Rate limiting to prevent abuse and brute-force attacks

Code & Data Privacy

  • Your code is private by default and never shared without your permission
  • AI features process code securely without storing it permanently
  • Option to use local AI models for sensitive projects
  • Data deletion upon account termination
  • No third-party tracking or analytics on your code

Compliance & Certifications

  • GDPR compliant with data protection by design
  • SOC 2 Type II certification in progress
  • CCPA compliant for California residents
  • Regular third-party security assessments

Incident Response

We have a dedicated security team monitoring for threats 24/7. In the event of a security incident:

  • Immediate investigation and containment procedures
  • Affected users notified within 72 hours
  • Transparent communication about the incident and remediation steps
  • Post-incident review to prevent future occurrences

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Email: security@flocod.dev
  • PGP Key available for encrypted communication
  • We respond to all reports within 48 hours
  • Bug bounty program for eligible vulnerabilities
  • Hall of Fame recognition for security researchers

Best Practices for Users

  • Use a strong, unique password for your Flocod account
  • Enable two-factor authentication
  • Keep your recovery codes in a secure location
  • Regularly review account activity and authorized applications
  • Report suspicious activity immediately
  • Keep your local development environment secure

Questions?

For security-related questions or concerns, contact our security team at security@flocod.dev