🔒Zero Trust Platform

Security FirstZero Trust Architecture

Pubflow is built on Zero Trust principles. Every request is verified, every secret is protected, and every system is audited.

Contact Security Team Security Docs

What is Zero Trust?

Never trust, always verify. Every request is authenticated and authorized.

🔐

Verify Everything

No implicit trust

Every request is verified with trust tokens. No request is trusted by default—even from internal services.

🛡️

Least Privilege

Minimal access rights

Users and services only get the minimum permissions needed. Access is granted on a need-to-know basis.

📊

Assume Breach

Always ready

We design systems assuming they could be breached. Multiple layers of defense protect your data.

Flowless Authentication Security

Industry-leading password security and session management

🔑

Argon2 Password Hashing

State-of-the-art encryption

Flowless uses Argon2id for password hashing—the winner of the Password Hashing Competition and recommended by OWASP.

✓Memory-hard algorithm (resists GPU attacks)

✓Side-channel attack resistant

✓Configurable time and memory costs

✓Salted and peppered automatically

🎫

Trust Token Validation

Every request is verified

Session tokens are cryptographically signed and validated on every request using Bridge validation.

✓JWT with RS256 signature

✓Short-lived tokens (configurable TTL)

✓Automatic token rotation

✓Revocation support

✅

Passwords Are Never Stored in Plain Text

Flowless never stores passwords in plain text or reversible encryption. All passwords are hashed with Argon2id before being stored. Even Pubflow staff cannot access user passwords.

Enterprise Secrets Management

Database credentials and sensitive data protected with Azure Key Vault

Azure Key Vault Integration

Enterprise-grade secrets management

What secrets are protected?

🔐

Database Credentials

PostgreSQL, MySQL, LibSQL connection strings and passwords

🔑

API Keys & Tokens

Third-party service credentials, OAuth secrets, webhook signing keys

🛡️

Encryption Keys

JWT signing keys, data encryption keys, session secrets

📧

Email & Communication Secrets

SMTP credentials, SendGrid API keys, Twilio tokens

🏷️

Sensitive Tag Protection

All secrets marked as critical are:

✓Encrypted at rest in Azure Key Vault with FIPS 140-2 Level 2 validated HSMs
✓Encrypted in transit with TLS 1.3
✓Fully audited with Azure Monitor and logging
✓Access controlled with RBAC and managed identities
✓Automatically rotated based on security policies

📊

Complete Audit Trail

Every access to sensitive secrets is logged and monitored:

•Who accessed the secret (service identity)
•When the access occurred (timestamp with timezone)
•What operation was performed (read, write, delete)
•Where the request came from (IP address and region)

🛡️

Responsible Security Disclosure

We take security seriously and appreciate the security research community

Report a Security Vulnerability

If you've discovered a security vulnerability in Pubflow, Flowless, Flowfull, or any of our products, please report it to:

security@pubflow.com

What to include in your report:

1.Description of the vulnerability and its potential impact
2.Steps to reproduce the issue (proof of concept)
3.Affected components (Flowless, Flowfull, Bridge Payments, etc.)
4.Your contact information for follow-up
5.Any suggested fixes or mitigations (optional)

Our Commitment:

✓We will respond to your report within 24 hours
✓We will keep you updated on our progress
✓We will credit you in our security advisories (unless you prefer to remain anonymous)
✓We will not take legal action against security researchers acting in good faith

Security Patches & Suggestions:

For general security suggestions, configuration improvements, or non-critical security patches, please also email security@pubflow.com. We review all suggestions and implement improvements regularly.

Build with confidence

Start building secure applications with Pubflow's Zero Trust architecture

Get Started Free Security Documentation