|

Data Protection

Encryption in Transit

All connections to Nuvflo use TLS 1.3 encryption. We enforce HTTPS for all traffic and use HSTS to prevent downgrade attacks.

Encryption at Rest

Sensitive data, including OAuth tokens and extracted billing information, is encrypted using AES-256 encryption before storage. Encryption keys are managed separately from encrypted data.

Token Security

OAuth tokens for connected email accounts are:

• Encrypted using AES-256 before storage
• Stored in isolated, access-controlled databases
• Automatically refreshed to maintain security
• Immediately deleted when you disconnect your account

Access Controls

Employee Access

We do not allow employees to read your email content unless you explicitly request support assistance. Our access policy:

• Access to production systems requires documented justification
• All access is logged and audited
• Support staff can only access your data with your explicit consent
• We follow the principle of least privilege

Authentication

• Strong password requirements with secure hashing (bcrypt)
• OAuth 2.0 for third-party integrations
• Session management with secure, HTTP-only cookies

Infrastructure Security

Hosting

Nuvflo is hosted on enterprise-grade infrastructure:

• Website: Netlify (SOC 2 Type II certified)
• Database: Supabase (SOC 2 Type II certified, powered by AWS)
• Edge functions: Cloudflare Workers (SOC 2 compliant)

Network Security

• DDoS protection via Cloudflare
• Web Application Firewall (WAF) rules
• Rate limiting to prevent abuse
• Security headers (X-Frame-Options, CSP, etc.)

Google Workspace Integration

When you connect your Gmail account, we follow Google's strict security requirements:

OAuth Scopes

We request only the minimum permissions necessary:

Limited Use Compliance

We comply with Google's Limited Use requirements:

• Gmail data is only used to provide refund assistance features
• We do not use Gmail data for advertising
• We do not sell or share Gmail data with third parties
• Human access to Gmail data is restricted to support you explicitly request

Revocation

You can revoke Nuvflo's access at any time:

• In-app: Use the "Disconnect" option in settings
• Google: Visit Google Account Permissions

Upon revocation, we immediately delete stored OAuth tokens.

AI/LLM Data Handling

When generating refund request drafts, we use OpenAI's API:

• No model training: Data sent to OpenAI via API is not used to train their models by default
• Minimal context: We send only extracted facts (amounts, dates, order numbers), not full email threads
• Abuse monitoring: OpenAI retains API logs for up to 30 days for abuse prevention
• No persistent storage: OpenAI does not store your data beyond temporary processing

Data Retention & Deletion

Retention Periods

Your Deletion Rights

You can delete your data at any time:

• In-app: "Delete my data" in account settings
• Email: Contact privacy@nuvflo.io

We process deletion requests within 30 days, except where retention is legally required.

Incident Response

In the event of a security incident:

• We have documented incident response procedures
• Affected users will be notified within 72 hours as required by GDPR
• We will provide details on the incident and remediation steps
• Post-incident reviews improve our security posture

Security Contact

To report security vulnerabilities or concerns:

• Email: security@nuvflo.io

We take all security reports seriously and will respond within 48 hours.

Compliance Roadmap

We are committed to continuous security improvement:

• Current: GDPR compliance, CCPA compliance, Google Limited Use compliance
• In progress: SOC 2 Type II certification preparation
• Planned: Annual third-party security assessments

Enterprise customers requiring specific compliance certifications or security assessments can contact enterprise@nuvflo.io.

Questions?

For security-related questions or to request additional information:

• Security: security@nuvflo.io
• Privacy: privacy@nuvflo.io
• Enterprise: enterprise@nuvflo.io