Security and trust
FLUXO holds maintenance, inspection, and compliance records that our customers depend on every day. This page describes how the platform is built and operated. Every statement here maps to a practice we actually run — nothing aspirational.
Architecture and tenant isolation
FLUXO is a multi-tenant platform on PostgreSQL. Every tenant record carries an organization identifier, and PostgreSQL Row-Level Security (RLS) policies enforce isolation at the database layer — beneath the application code — so one tenant’s users cannot read or write another tenant’s data. Role-based permissions (administrator, technician, viewer, and custom roles) are likewise enforced in database policy, not only in the interface.
Authentication
User sign-in is handled by Supabase Auth with short-lived JWT session tokens. Passwords are never stored by FLUXO; credential verification happens entirely inside Supabase Auth. Administrative access to production systems is limited to named HTECH personnel.
Encryption
All traffic between your browser or mobile device and FLUXO is encrypted in transit with TLS. Data at rest — the production database, file storage, and backups — is encrypted by our infrastructure provider (Supabase on AWS, AES-256).
Hosting and subprocessors
FLUXO runs on a small, deliberate set of infrastructure providers:
| Provider | Purpose | Region |
|---|---|---|
| Supabase (on AWS) | Database, authentication, file storage, serverless functions | AWS eu-west-1 (Dublin, Ireland) |
| Vercel | Web application and website hosting / CDN | Global edge network (US-headquartered) |
| Stripe | Billing and payment processing — card data never touches FLUXO servers | Global (US-headquartered) |
| SMTP relay | Transactional email (notifications, digests). Tenants may configure their own SMTP server so email never leaves their infrastructure | Platform-configured |
| AI providers (Anthropic, OpenAI, Google, DeepSeek) | RUBI AI assistant — invoked only on request; tenants may bring their own API key | Anthropic, OpenAI, Google: US; DeepSeek: China. Tenant-selectable per organisation |
| Sentry | Anonymised application error monitoring | US/EU |
| Google Analytics | Website usage analytics (marketing site only, never in-product data) | Global |
Backups and recovery
The production database is backed up automatically every day by Supabase. We are rolling out a monthly restore drill that recovers the latest backup into an isolated environment and verifies row counts and referential integrity on core tables; measured recovery-point and recovery-time figures (RPO/RTO) will be published on this page once the first drills complete.
Availability and monitoring
The production application is watched by independent external uptime checks every 30 minutes, plus automated daily end-to-end journey tests that exercise real sign-in, work-order, and inspection flows. A public status page is in rollout and will be linked here.
AI data handling
RUBI, the FLUXO AI assistant, calls a large-language-model provider only when a user invokes it, and only with the data needed to answer that request. Tenants can choose their provider and may bring their own API key, in which case AI traffic runs under the tenant’s own provider agreement. AI features are entitlement-gated and can be left disabled entirely.
Data export and deletion
Your data remains yours. Tenants can export their records at any time through the built-in report composer and compliance export functions (Excel/PDF). On contract termination, organization data is removed with a hardened deletion procedure that covers all dependent records, subject to the retention window in our privacy policy.
Responsible disclosure
If you believe you have found a security vulnerability in FLUXO or any HTECH service, please report it to the address below. We acknowledge reports promptly, will not pursue good-faith research, and ask that you give us reasonable time to remediate before public disclosure.
Security contact: security@htech.africa
Data processing agreement
A Data Processing Agreement (DPA), including the current subprocessor list below, is available on request for any customer or prospect. We update the subprocessor list before engaging a new subprocessor and notify customers with an active DPA of changes. Contact info@htech-global.online.