Security
Certifications
- • SOC 2 Type II — most-recent observation period 2025-04-01 to 2026-03-31, by Prescient Assurance.
- • ISO 27001:2022 — work in progress; certification expected Q3 2026.
The full SOC 2 Type II report is available under NDA — request via security@devflow.io.
Encryption
All data at rest is encrypted with AWS KMS using a per-workspace key. Secrets ([variables-and-secrets]) are decrypted only inside our edge probes at execution time, never written to logs. All traffic between our control plane and the probes is mTLS-authenticated.
Compliance
We are a processor under GDPR; you are the controller of your monitor configurations and check results. Standard DPA available; SCCs in place for EEA-to-US data transfers. CCPA/CPRA addendum is automatic for California customers. We do not sell personal data.
Sub-processors
We send change notifications 30 days before adding a new sub-processor.
| Vendor | Purpose | Region |
|---|---|---|
| AWS | Compute, networking, KMS | United States, Ireland |
| Google Cloud | Lisbon office tooling | EU |
| Stripe | Billing | United States |
| Slack | Internal communication | United States |
| Sentry | Error reporting | United States |
| HubSpot | Marketing CRM | United States |
| Postmark | Transactional email | United States |
| Linear | Engineering issue tracking | United States |
| Notion | Internal documentation | United States |
| 1Password | Internal secrets management | Canada |
Vulnerability disclosure
Report to security@devflow.io. We follow a 90-day coordinated-disclosure window, faster on critical. Bug bounty: discretionary, paid in USD by wire. Our last disclosed CVE — CVE-2025-32811, the webhook-replay finding — has a public postmortem at /blog/a-postmortem-cve-2025-32811.