Security

Our Commitment to Security

Security is fundamental to FlowSpace. We protect your data with industry-standard encryption, access controls, and monitoring.

Infrastructure Security

  • Data at rest: AWS DynamoDB with encryption at rest (US-based regions)
  • Data in transit: All communication uses TLS 1.2+ encryption
  • Access controls: AWS IAM restricts data access to authorized personnel only
  • Monitoring: AWS CloudWatch logging and audit trails
  • Backups: DynamoDB Point-in-Time Recovery (PITR) enabled on critical tables

Application Security

  • Local database: SQLCipher encrypted SQLite for on-device data
  • Credential storage: OS keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service) — never plaintext
  • Content Security Policy: Strict CSP headers prevent XSS attacks
  • Electron hardened runtime: Sandbox enabled with context isolation
  • Code signing and notarization: macOS builds are signed and notarized by Apple
  • Input validation: All user inputs sanitized via Zod schemas

Authentication

  • Managed by AWS Cognito
  • Sign-in via Google OAuth or Apple Sign-In
  • Auth tokens stored in your OS secure keychain
  • Token refresh handled automatically — no passwords stored

AI Data Security

  • AI tutoring uses Google Gemini API (cloud processing)
  • Only question text and course materials are sent — never your name, email, or identity
  • Google does not store your data after processing your request
  • Google does not use your data to train or improve AI models (per Google Cloud DPA)
  • All AI disclosures logged in FERPA-compliant audit trail

Analytics Privacy

  • Anonymous usage analytics via PostHog
  • Anonymous identifier only — cannot be linked to your name or email
  • No autocapture, no session recording, no pageview tracking
  • Memory-only persistence — no cookies or localStorage
  • Analytics never shared with institutions or professors

Beta Status

FlowSpace is currently in beta. Security measures are continuously evolving and improving. We take the security of your data seriously at every stage of development.

Responsible Disclosure

We appreciate security researchers and users who help us maintain the security of FlowSpace. If you discover a security vulnerability, please report it responsibly.

How to Report

Please email security details to: hello@myflowspace.app

Include in your report:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and severity
  • Your contact information (for follow-up)

Our Response

  • We will acknowledge receipt within 48 hours
  • We will provide regular updates on our progress
  • We will credit you in our security acknowledgments (if desired)
  • We will notify you when the issue is resolved

Security Best Practices for Users

  • Keep your operating system updated
  • Use a strong, unique password for your computer account
  • Enable two-factor authentication on your Google account
  • Download FlowSpace only from the official website or GitHub releases
  • Report suspicious behavior to hello@myflowspace.app

Security Acknowledgments

We thank the following individuals for responsibly disclosing security vulnerabilities:

(No vulnerabilities have been reported yet)

Contact

For security or general inquiries, please contact: hello@myflowspace.app