Security & Compliance

Enterprise-Grade Security

AetherFlow is designed from the ground up for regulated industries — healthcare, legal, financial services, and government. Our local-agent architecture means your documents never leave your network. Our encryption and access controls meet the bar for the most demanding enterprise security reviews.

SOC 2 Type II
Infrastructure
AES-256-GCM
Encryption at Rest
TLS 1.2+
In Transit
Zero Document Storage
Local Agent Arch.
Data Protection

Your Data, Encrypted

Credentials and configuration are encrypted at rest. Documents never touch our infrastructure — they flow directly between source and target via the local agent running on your network.

Encryption at Rest

Connector credentials and sensitive configuration are encrypted using AES-256-GCM with per-tenant envelope keys before being stored. Raw credentials are never persisted.

Encryption in Transit

All API communication uses TLS 1.2 or higher. Connections using deprecated protocols or weak cipher suites are rejected at the transport layer.

Zero Document Storage

AetherFlow never stores your documents. Content flows directly between source and target via the local agent running inside your network perimeter.

Identity

Authentication & Access

Multiple authentication methods, role-based access, and short-lived tokens — designed for enterprise identity management requirements.

Supabase Auth
bcrypt password hashing with salted rounds
Azure AD SSO
Microsoft OIDC / OpenID Connect integration
RBAC
Admin, User, and Viewer role tiers
API Keys
Service accounts with IP allowlisting
JWT Auth
Cross-service tokens, 300s expiry
Multi-Tenancy

Tenant Isolation

Every query, every record, every credential is scoped to your tenant. Cross-tenant data access is architecturally impossible by design.

Enforced at Query Level

Strict tenant_id filtering is applied to every database query — not as application-level logic, but enforced at the data layer via Supabase Row-Level Security policies.

Row-Level Security

PostgreSQL RLS policies guarantee that even if application logic had a bug, queries would still return only your tenant's data.

Per-Tenant Encryption Keys

Credential encryption keys are derived per-tenant. A compromise of one tenant's key cannot expose another tenant's data.

Infrastructure & Compliance

Built on SOC 2 certified providers. Every administrative action is logged, tracked, and auditable.

Infrastructure

  • Hosted on Render — SOC 2 Type II compliant
  • Database on Supabase — SOC 2 Type II, HIPAA available
  • Redis for ephemeral job queues only — no PII stored
  • US-based data centers
  • Automated failover and high availability

Audit & Compliance

  • Comprehensive audit logging for all administrative actions
  • Field-level change tracking for every migration operation
  • GDPR and CCPA compliant — see Privacy Policy
  • Automated reconciliation reports for compliance verification
  • Immutable log records — entries cannot be modified or deleted

Agent Security

  • Local agent runs on customer's own infrastructure
  • Document content never leaves the customer's network
  • Documents flow through the agent — not through AetherFlow servers
  • Agent authenticates via API key + tenant ID verification
  • Agent connections are outbound-only — no inbound firewall rules required

Monitoring & Response

  • Automated anomaly detection on API access patterns
  • Rate limiting and brute-force protection on all endpoints
  • Security incident response plan with 72-hour breach notification
  • Regular dependency audits and vulnerability scanning
  • Penetration testing on an annual cadence

Responsible Disclosure

If you discover a security vulnerability in AetherFlow, please report it responsibly. We will acknowledge your report within 24 hours and work with you to address it promptly.

security@final-phase.com

Security Reviews

Enterprise procurement often requires security questionnaires, architecture diagrams, or compliance documentation. We support your security review process — contact us and we'll work with your security team directly.

Request Security Docs

Privacy & Compliance Docs

Our full Privacy Policy, Terms of Service, and GDPR/CCPA data processing terms are available for review. Enterprise customers can request a Data Processing Agreement (DPA).

Ready to Start Your Security Review?

We work directly with enterprise security teams. Request a demo and we'll walk you through our architecture, answer your questionnaire, and provide all the documentation your team needs.

Talk to Our Team