Security & Infrastructure

Last updated: July 2025

1. Introduction

LoadFlow is committed to protecting the integrity, confidentiality, and availability of your data. Whether you're querying our API or accessing our dashboard, we apply modern security best practices across our infrastructure, application code, and third-party services.

This page outlines how we secure the LoadFlow platform, including network security, data encryption, API key handling, account protections, and compliance posture.

2. Platform Security Architecture

LoadFlow runs on a secure cloud-based architecture hosted on hardened Linux containers using managed cloud services. Our platform is composed of:

• Frontend Hosting: Vercel-managed edge deployment with automatic HTTPS
• Backend API: Flask-based application hosted on secured DigitalOcean droplet(s)
• Database: PostgreSQL with SSL enforcement and encrypted backups
• File Storage: Managed volumes with encrypted-at-rest backups and offsite redundancy
• Monitoring: Custom UptimeRobot and Grafana dashboards with anomaly detection

All backend services are restricted to internal access only via strict firewall rules and reverse proxy headers. LoadFlow does not expose internal system tools or databases to the public internet.

3. API Key Management & Usage Control

Every LoadFlow customer is issued a unique API key for authentication and usage tracking. These keys are:

• Stored encrypted in our backend database with strict column-level access control
• Only accessible by LoadFlow’s authentication logic — never exposed in logs or client-side code
• Revocable at any time via the customer dashboard
• Rate-limited and usage-logged per key to detect misuse or abuse

API keys must not be embedded in frontend JavaScript or published in public repositories. Customers are responsible for securely storing and rotating keys if compromise is suspected.

4. Transport Encryption

All LoadFlow services enforce HTTPS with TLS 1.2 or higher for all traffic. We:

• Redirect all plain HTTP requests to HTTPS automatically
• Use modern TLS ciphers and disable deprecated SSL versions
• Refuse connections from outdated or insecure browsers and clients

Data in transit — including API requests, dashboard interactions, and Stripe billing workflows — is always encrypted end-to-end.

5. Authentication & Password Security

LoadFlow stores hashed passwords using the bcrypt algorithm with random salts. We:

• Never store raw passwords or use reversible encryption
• Enforce minimum password length and character requirements
• Throttle failed login attempts to prevent brute-force attacks
• Support secure reset flows using expiring tokens with signed URLs

Customers are encouraged to use password managers and rotate credentials periodically. Enterprise accounts may request multi-user authentication rules.

6. Internal Access Controls

Access to LoadFlow systems is governed by the principle of least privilege. Only senior engineering and operations personnel may access production data, and only via secured authentication pathways. We:

• Use SSH keys and 2FA on all root-level access to backend infrastructure
• Limit dashboard access by environment (e.g., staging vs. production)
• Audit access logs regularly and flag unauthorized sessions for review
• Restrict support personnel to customer metadata only — no password or billing access

No LoadFlow employee may access customer API logs, payloads, or datasets unless required for support or security reasons and only with logging enabled.

7. Logging & Abuse Detection

LoadFlow logs all API access attempts, including:

• Timestamp
• Endpoint requested
• Key ID and plan tier
• IP address and geolocation fingerprint
• Rate-limit or abuse flag status (if applicable)

Logs are retained for 90–180 days depending on severity and are encrypted at rest. Customers flagged for quota evasion, scraping, or brute force API enumeration may be automatically suspended pending review.

8. Vulnerability Reporting & Disclosure

LoadFlow welcomes responsible security disclosures. If you believe you’ve found a security issue, please report it privately to:

Email: security@loadflowlogistics.com

Do not publicly disclose vulnerabilities until we have confirmed and resolved them. We respond to all legitimate reports within 3–5 business days. Public or bounty programs may be introduced in the future.

9. Hosting Infrastructure & Physical Security

LoadFlow uses DigitalOcean and Vercel to host its infrastructure. These providers maintain their own SOC 2 Type II, ISO 27001, and physical security certifications. LoadFlow:

• Does not colocate or self-host physical servers
• Operates entirely within secured data centers in U.S. regions
• Relies on encrypted volume snapshots and region failover plans

Physical access to cloud data centers is restricted by the infrastructure providers and not managed by LoadFlow personnel.

10. Contact & Legal Notice

For questions about security, responsible disclosure, or regulatory compliance, contact:

• Email: support@loadflowlogistics.com
• Security Reports: security@loadflowlogistics.com
• Business Entity: LoadFlow Logistics LLC
• Jurisdiction: Wyoming, United States