Security

1. Tenant Isolation

Every record is scoped to an organization and enforced by database row-level security (RLS). Application code cannot bypass tenant boundaries from a user session.

Privileged operations run through audited, service-scoped paths separated from end-user access.

2. Authentication

Authentication is handled by a managed identity provider with secure session cookies and support for OAuth providers.

Passwords are never stored in plaintext. Recovery flows use single-use, time-limited links.

3. Encryption

Data is encrypted in transit (TLS) and at rest. Generated assets and uploads live in access-controlled object storage.

4. Auditability

Sensitive actions are recorded in an append-only audit log scoped to your organization, supporting compliance and incident review.

5. AI Data Handling

Inputs sent to AI providers for analysis, generation, and validation are transmitted securely under data-processing agreements and are not used to train shared models.

6. Responsible Disclosure

If you believe you have found a security vulnerability, please contact security@fluxstudio.ai. We investigate all credible reports promptly.