Security Policy

Effective Date: January 1, 2025

At Family Flow, LLC, we take the security of your family's data seriously. This Security Policy outlines the measures we implement to protect your information when using Family Flow.

1. Our Security Commitment

We are committed to:

  • Protecting the confidentiality, integrity, and availability of your data
  • Implementing industry-standard security controls
  • Continuously monitoring and improving our security posture
  • Responding promptly to security incidents
  • Being transparent about our security practices

2. Data Encryption

2.1 Data in Transit

All data transmitted between your device and Family Flow is encrypted using:

  • TLS 1.3 (Transport Layer Security) for all connections
  • HTTPS enforcement across all endpoints
  • Certificate pinning for mobile applications

2.2 Data at Rest

Your data stored on our servers is protected by:

  • AES-256 encryption for database storage
  • Encrypted backups with separate key management
  • Secure key storage using industry-standard practices

3. Authentication and Access Control

3.1 User Authentication

  • Secure password requirements with complexity rules
  • Password hashing using bcrypt with appropriate work factors
  • Optional two-factor authentication (2FA)
  • Session management with secure token handling
  • Automatic session expiration after inactivity

3.2 Access Control

  • Role-based access control within family accounts
  • Principle of least privilege for all system access
  • Regular access reviews and audits
  • Immediate access revocation upon account deletion

4. Infrastructure Security

4.1 Hosting Environment

Family Flow is hosted on secure, enterprise-grade infrastructure:

  • Vercel for application hosting with built-in DDoS protection
  • Supabase for database services with automatic security updates
  • Geographic data residency within the United States

4.2 Network Security

  • Web Application Firewall (WAF) protection
  • DDoS mitigation and traffic filtering
  • Regular vulnerability scanning
  • Intrusion detection and monitoring

5. Application Security

5.1 Secure Development

Our development practices include:

  • Security-focused code reviews
  • Automated security testing in CI/CD pipeline
  • Dependency vulnerability scanning
  • Regular security assessments

5.2 API Security

  • API authentication and rate limiting
  • Input validation and sanitization
  • Protection against common vulnerabilities (OWASP Top 10)
  • Secure API key management

6. Third-Party Security

We carefully vet and monitor our third-party service providers:

  • OpenAI: SOC 2 Type II certified, data processing agreement in place
  • Supabase: SOC 2 Type II certified, enterprise security features
  • Vercel: SOC 2 Type II certified, enterprise-grade security
  • Stripe: PCI DSS Level 1 certified for payment processing

All third parties are bound by data processing agreements with strict security requirements.

7. Data Backup and Recovery

  • Automated daily backups with encryption
  • Geographic backup redundancy
  • Regular backup restoration testing
  • Point-in-time recovery capabilities
  • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

8. Incident Response

In the event of a security incident, we will:

  • Investigate and contain the incident immediately
  • Assess the scope and impact of the breach
  • Notify affected users within 72 hours of confirmed breach
  • Provide clear information about what occurred and remediation steps
  • Report to relevant authorities as required by law
  • Conduct post-incident review and implement improvements

9. Employee Security

  • Background checks for employees with data access
  • Security awareness training for all staff
  • Strict access controls based on job requirements
  • Confidentiality agreements
  • Secure offboarding procedures

10. Physical Security

Our infrastructure providers maintain:

  • 24/7 physical security and surveillance
  • Biometric access controls
  • Environmental controls and monitoring
  • Redundant power and connectivity

11. Compliance

Family Flow is designed to comply with:

  • COPPA (Children's Online Privacy Protection Act) through parent-controlled accounts
  • California Consumer Privacy Act (CCPA) requirements
  • Industry-standard security frameworks

12. Security Recommendations for Users

To help protect your account, we recommend:

  • Use a strong, unique password for your Family Flow account
  • Enable two-factor authentication when available
  • Keep your devices and browsers updated
  • Log out when using shared devices
  • Review connected third-party services regularly
  • Report suspicious activity immediately

13. Reporting Security Issues

If you discover a security vulnerability, please report it to us responsibly at privacy@familyflowai.com

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment

We appreciate responsible disclosure and will acknowledge receipt within 48 hours.

14. Updates to This Policy

We may update this Security Policy as our practices evolve. Significant changes will be communicated through our standard notification channels.

15. Contact Information

For security-related inquiries:

Family Flow, LLC

14300 E US Hwy 40, Kansas City, MO 64136

Email: privacy@familyflowai.com

Related Policies

Privacy Policy

How we collect and use your data

Cookie Policy

How we use cookies and tracking

Terms of Service

Rules for using Family Flow