Security & Compliance
Data Encryption
Fund Flow applies encryption at every layer of the data lifecycle.
Encryption at Rest
All data stored in Fund Flow databases is encrypted using AES-256-GCM, the same standard used by financial institutions and government agencies. This includes:
- Investor personal and financial records
- Deal and loan data
- Documents and file attachments
- AI-generated content and activity logs
Database volumes are encrypted at the infrastructure level. Even if physical storage media were to be removed, the data would be unreadable without the encryption keys.
Encryption in Transit
All data transmitted between your browser (or mobile device) and Fund Flow servers is protected by TLS 1.3. Connections using older TLS versions (1.0, 1.1) or weak cipher suites are rejected. Fund Flow enforces HTTPS on all endpoints — there is no unencrypted fallback.
Database Security
Row-Level Security (RLS)
Fund Flow uses PostgreSQL's Row-Level Security to enforce data isolation at the database level. Every query is automatically scoped to the authenticated organization. A query from Organization A cannot, even accidentally, return data belonging to Organization B. RLS is enforced by the database engine itself, not application code, making it immune to application-layer bugs that might bypass access checks.
Admin vs. Standard Database Access
Writes to audit and AI activity tables require an elevated AdminDatabase connection. Standard queries use the Database or Transaction type with RLS enforced. This separation means that even if application code is compromised, it cannot write to sensitive audit tables without the elevated credential.
Authentication & Access Control
Supabase Auth with Two-Factor Authentication (2FA)
Fund Flow uses Supabase Auth as its identity provider. All passwords are hashed with bcrypt — plain-text passwords are never stored. Two-factor authentication (2FA) using a TOTP authenticator app (Google Authenticator, Authy, 1Password, etc.) is available for all accounts and strongly recommended.
To enable 2FA, go to Profile > Security > Two-Factor Authentication.
Role-Based Access Control (RBAC)
Fund Flow enforces a five-tier RBAC model. Every user action is checked against the user's role before execution.
| Role | Description |
|---|---|
| Owner | Full platform access including billing and organization deletion |
| Admin | Manage contacts, deals, documents, and team members; no billing access |
| Member | Full CRM and deal access; cannot manage team or billing |
| Analyst | Read-only access to deals, reports, and contacts |
| Investor | Investor portal access only; cannot see operator-facing data |
Role changes take effect on the next login session for the affected user.
Document Security
Document Encryption
All uploaded documents (PDFs, DOCX, images) are encrypted at rest using the same AES-256-GCM standard as database records. Documents are stored in isolated, access-controlled buckets. Pre-signed URLs with short expiry times are used for document downloads — the URL itself cannot be shared and used indefinitely.
E-Signature Audit Trails
Every e-signature event is logged with:
- Timestamp — UTC timestamp of when the action occurred
- IP address — The signer's originating IP address
- Signer identity — Email address and session token
- Document hash — A SHA-256 hash of the document at the time of signing, confirming the document was not modified after signing
Completed e-signature records are immutable. The audit trail is stored separately from the document itself to ensure it remains intact even if the document is modified.
AI Data Privacy
Your Data is Not Used for Training
Data you enter into Fund Flow — contacts, deals, documents, communications — is never used to train shared or third-party AI models. AI processing occurs within your organization's isolated context. The AI has access only to the data you have explicitly linked to a task or conversation.
AI Activity Logging
All AI agent actions are logged in the Activity Log accessible at AI Command > Activity Log. Logs include what the AI was asked to do, what it did, who approved it, and when. Logs are retained for a minimum of 12 months.
Regulatory Compliance
Regulation D (Reg D)
Fund Flow is built to support workflows commonly used in Regulation D (Rule 506(b) and 506(c)) private securities offerings:
- Investor accreditation tracking — Record and store accreditation documentation for each investor
- Document audit trails — Track when documents were viewed, signed, and by whom
- Investor-only access — Investor portal access is isolated from public-facing content
Fund Flow is a workflow and record-keeping platform, not a licensed securities broker-dealer or investment adviser. All compliance determinations for your specific offering must be made by qualified legal counsel. Nothing in Fund Flow constitutes legal or securities advice.
GDPR & Data Privacy
For organizations with European investors or operations:
- Data access requests — Fund Flow can provide an export of all personal data held for a given individual upon request.
- Right to erasure — Personal data can be deleted upon verified request. Financial records required for legal retention may be anonymized rather than deleted.
- Data processing agreements (DPAs) — Available upon request for enterprise customers. Contact
legal@fundflow.com. - Data residency — Data is processed and stored in the United States. International data transfers are governed by Standard Contractual Clauses (SCCs) where applicable.
Backups & Business Continuity
Automated Daily Backups
Database backups run automatically every day. Backups are:
- Encrypted with AES-256 before storage
- Stored in geographically separate regions from the primary database
- Retained for 30 days on standard plans and 90 days on enterprise plans
Point-in-time recovery is available for databases — contact support to initiate a restore from a specific timestamp.
Uptime & Availability
Fund Flow targets 99.9% uptime for the application layer. Planned maintenance is announced via the status page at status.fundflow.com with at least 48 hours notice. Emergency maintenance is communicated via in-app banners and email.
Session Security
Session Expiry
Authenticated sessions have an idle timeout. Sessions that are inactive for an extended period are automatically invalidated, requiring re-authentication. This protects accounts left open on shared or unattended devices.
Active Session Management
Users can view and terminate active sessions from Profile > Security > Active Sessions. If you see a session from an unrecognized device or location, terminate it immediately and change your password.
Login Attempt Rate Limiting
Fund Flow applies rate limiting to login attempts. Repeated failed attempts from the same IP address result in a temporary lockout to prevent brute-force attacks.
Incident Response
Security Incident Protocol
If Fund Flow detects or is notified of a security incident affecting customer data:
- The incident is triaged and contained within four hours of discovery.
- Affected customers are notified within 72 hours, consistent with GDPR breach notification requirements.
- A post-incident report is made available to affected customers upon request.
- Notifications include: what data was affected, what steps Fund Flow has taken, and what customers should do.
Reporting a Security Vulnerability
If you discover a potential security vulnerability in Fund Flow, please report it responsibly to security@fundflow.com. Do not publish vulnerability details publicly before contacting us. Fund Flow reviews all reported vulnerabilities promptly and credits researchers who follow responsible disclosure.