Security FirstZero Trust Architecture
Pubflow is built on Zero Trust principles. Every request is verified, every secret is protected, and every system is audited.
What is Zero Trust?
Never trust, always verify. Every request is authenticated and authorized.
Verify Everything
No implicit trust
Every request is verified with trust tokens. No request is trusted by defaultβeven from internal services.
Least Privilege
Minimal access rights
Users and services only get the minimum permissions needed. Access is granted on a need-to-know basis.
Assume Breach
Always ready
We design systems assuming they could be breached. Multiple layers of defense protect your data.
Flowless Authentication Security
Industry-leading password security and session management
Argon2 Password Hashing
State-of-the-art encryption
Flowless uses Argon2id for password hashingβthe winner of the Password Hashing Competition and recommended by OWASP.
- βMemory-hard algorithm (resists GPU attacks)
- βSide-channel attack resistant
- βConfigurable time and memory costs
- βSalted and peppered automatically
Trust Token Validation
Every request is verified
Session tokens are instantly validated on every request. We use secure opaque identifiers with strict context validation (IP, browser, and device binding) instead of vulnerable JWTs.
- βOpaque Sessions (Not JWT)
- βInstant token revocation
- βAutomatic token rotation
- βNo algorithm confusion vectors
Passwords Are Never Stored in Plain Text
Flowless never stores passwords in plain text or reversible encryption. All passwords are hashed with Argon2id before being stored. Even Pubflow staff cannot access user passwords.
Enterprise Secrets Management
Database credentials and sensitive data protected with Azure Key Vault
Database Credentials
PostgreSQL, MySQL, LibSQL connection strings and passwords
API Keys & Tokens
Third-party service credentials, OAuth secrets, webhook signing keys
Signing Keys
Signing keys, data encryption keys, session secrets
Email & Communication Secrets
SMTP credentials, provider API keys, webhook tokens
Sensitive Tag Protection
All secrets marked as critical are:
- β’ Encrypted at rest in Azure Key Vault with FIPS 140-2 Level 2 validated HSMs
- β’ Encrypted in transit with TLS 1.3
- β’ Fully audited with Azure Monitor and logging
- β’ Access controlled with RBAC and managed identities
Complete Audit Trail
Every access to sensitive secrets is logged and monitored:
- β’ Who accessed the secret (service identity)
- β’ When the access occurred (timestamp with timezone)
- β’ What operation was performed (read, write, delete)
- β’ Where the request came from (IP address and region)
Responsible Security Disclosure
We take security seriously and appreciate the security research community
If you've discovered a security vulnerability in Pubflow, Flowless, Flowfull, or any of our products, please report it to: security@pubflow.com