Compliance

DevFlow's compliance footprint, the short version. The legal-grade artefacts live behind a request form on /security; this is the engineering-grade summary.

SOC 2 Type II

DevFlow has been SOC 2 Type II certified since November 2023. Most-recent observation period: 2025-04-01 to 2026-03-31. Auditor: Prescient Assurance. The report is available under NDA — request via security@devflow.io.

GDPR

We are a processor for our customers (you're the controller of your monitor configs and check results). We have:

• A standard DPA available as part of our rest-api-overview-driven account creation flow, or by request.
• Standard Contractual Clauses for EEA → US data transfers (replaces the now-defunct Privacy Shield).
• Sub-processor list at /security, with email subscription for changes.

CCPA / CPRA

We comply with the CCPA and CPRA "do not sell" requirement; we do not sell personal data. The CCPA addendum to the DPA is automatic for California customers.

sub-processors

The full list lives at /security and includes AWS, Google Cloud (Lisbon office tooling), Stripe (billing), Slack, Sentry (errors), HubSpot (marketing). We send change notifications 30 days before adding a new sub-processor.

what we hold

See data-retention for the engineering-grade view of what we store and for how long.

reporting an issue

security@devflow.io. Encrypted email PGP key on /security. Coordinated disclosure window 90 days; faster on critical.

related

• data-retention for retention by tier.
• variables-and-secrets for secret handling.
• /privacy for the customer-facing privacy notice.