FlowSprite
HomeFlowSprite security — Where your data goes, encrypted how, audited where
Trust

Security & data handling

Where your data goes when you connect Salesforce and GitHub. No marketing fog.

Start free See the homepage

Your data, in plain English

In your control

Salesforce metadata in your org. Source-of-truth in your private GitHub repo. Audit log in your Git history. None of this lives in our database.

In ours

OAuth tokens (encrypted at rest, KMS-managed). Account email + team membership. Run history (which request triggered which PR). Drift hashes — not the metadata itself.

Encryption posture

01

TLS 1.2+ on every API call

No exceptions. Every Salesforce, GitHub, and FlowSprite endpoint is HTTPS only.
02

OAuth tokens encrypted at rest

Envelope encryption with AWS KMS. Keys rotate; envelopes re-wrap.
03

Sensitive headers redacted at the edge

No customer data persisted in logs. Sensitive request headers are stripped before any log enters our pipeline.
04

GitHub at-rest encryption

GitHub holds the metadata; their standard at-rest encryption applies. We don't centralize your metadata in our database.

Compliance status

  • SOC 2 Type II — currently in observation period (target completion Q3 2026).
  • GDPR — EU data residency available on request (Frankfurt region).
  • HIPAA — not currently in scope; reach out if you need a BAA.

Need security review docs?

Email security@flowsprite.com for the data flow diagram, sub-processor list, and current SOC 2 evidence.

Email security team