Security at FlockSoft
We pursued SOC 2 Type II, ISO 27001, GDPR, and HIPAA compliance before our first enterprise client asked for any of them. Security is not a checkbox at FlockSoft — it is the foundation on which every product and deployment is built.
security@flocksoft.com ->Independently verified.
Continuously maintained.
SOC 2 Type II
Independently audited annually by a third-party CPA firm. Covers security, availability, processing integrity, confidentiality, and privacy across all FlockSoft systems.
ISO 27001
Certified information security management system. Covers risk assessment, asset management, access control, cryptography, and supplier relationships.
GDPR
Full compliance with the General Data Protection Regulation for customers operating in or serving the European Economic Area. DPA available on request.
HIPAA
HIPAA-ready infrastructure for healthcare clients handling PHI. BAA executed for all healthcare deployments. Full audit trail on all PHI-adjacent agent actions.
Compliance reports and certificates available to enterprise customers under NDA.
Built secure
from the ground up.
- AES-256 encryption at rest for all customer data
- TLS 1.3 for all data in transit
- Customer data never used for model training
- Data residency options available for enterprise clients
- Automated data deletion on account termination
- Role-based access control (RBAC) with least-privilege defaults
- Multi-factor authentication required for all internal access
- Hardware security keys required for privileged access
- Quarterly access reviews for all systems
- Just-in-time provisioning for elevated permissions
- SOC 2 Type II certified cloud infrastructure (AWS)
- Network isolation via VPC with private subnets
- Web application firewall and DDoS protection
- Continuous vulnerability scanning and patching
- 24/7 intrusion detection and response
- Immutable audit log for every agent action
- Tamper-evident logging with cryptographic proofs
- Real-time SIEM monitoring and alerting
- Annual penetration testing by independent third parties
- Incident response plan with <1-hour detection SLA
- Security review required for all third-party vendors
- Sub-processor list published and maintained
- Annual vendor security assessments
- Data processing agreements with all sub-processors
- Vendor access limited to minimum necessary data
- Security review in every pull request
- SAST and DAST integrated into CI/CD pipelines
- Developer security training on hire and annually
- Responsible disclosure policy and bug bounty program
- Dependency scanning for known vulnerabilities
Found a vulnerability?
Tell us.
FlockSoft operates a responsible disclosure program. If you discover a security vulnerability, please report it to our security team. We commit to acknowledging all reports within 24 hours and providing a fix or mitigation plan within 30 days for validated vulnerabilities.
We do not pursue legal action against researchers who follow responsible disclosure guidelines. We acknowledge all reporters who contribute to our security posture.
security@flocksoft.com ->- 01Email security@flocksoft.com with full details of the vulnerability
- 02Include steps to reproduce, affected systems, and potential impact
- 03Give us reasonable time to investigate before public disclosure
- 04Do not access or modify data belonging to other customers
- 05Do not perform denial-of-service attacks or destructive testing
Security questions? We answer them.
Our security team responds to all inquiries. For enterprise security reviews, compliance documentation, or vulnerability reports, reach out directly.