Your visitors’ data, treated like ours.
We host on Vercel + Neon (US East). Encryption at rest and in transit. Strict tenant isolation enforced at the data-access layer, audited on every mutation.
AES-256 at rest. TLS 1.3 in transit.
Database storage and object storage are encrypted at the platform level (Neon + Vercel Blob). Selfies, IDs and signatures are stored as encrypted assets and purged on retention schedule.
- ✓Encrypted at-rest storage
- ✓TLS 1.3 enforced in transit
- ✓Encrypted backups
No row of data leaks across customers.
Every query is scoped to the active tenant context via a data-access layer. Mission Control admin access is itself audited via signed impersonation tokens with a mandatory reason.
- ✓Tenant-scoped queries enforced
- ✓No cross-tenant joins possible
- ✓Impersonation banner persisted in UI
Append-only record of every protected mutation.
Visit, watchlist, NDA, billing and impersonation events are recorded with actor, IP, user agent and timestamp. Immutable and exportable.
- ✓Actor + IP + user agent on every event
- ✓Reason required for sensitive ops
- ✓CSV / JSON export with filters
Visitor self-service portal — access, delete, rectify.
Visitors can request access to, deletion of or rectification of their data via a magic-link portal. ID scans purge after 90 days by default; other categories configurable.
- ✓Magic-link DSR portal for visitors
- ✓Default 90-day ID scan retention
- ✓Sub-processor list + DPA on request
TOTP 2FA mandatory for admins.
Magic-link sign-in plus TOTP authenticator codes. Single-use links with short TTL. Eight roles with fine-grained permissions per resource.
- ✓TOTP 2FA + recovery codes
- ✓Magic links with 5-minute TTL
- ✓8 roles · per-resource permissions
Crash reporting on every surface.
Sentry monitors the dashboard, kiosk and print bridge. Stripe webhooks and other external events are signature-verified. Responsible disclosure program in place.
- ✓Sentry crash reporting
- ✓Signed webhooks with retries
- ✓security@visitorflow.com — 24h response
Found something? Tell us.
We respond to confirmed vulnerability reports within 24 hours. Critical fixes ship within 7 days. Researchers acting in good faith are protected — no legal action, ever.
Full sub-processor list published.
Every third-party vendor that processes customer data on behalf of FR8 Tech is listed at visitorflow.com/legal/sub-processors, including the service provided, data categories processed, hosting region, and a link to each vendor’s DPA. Tenants receive 30-day advance notice of any changes.