Trust

Security and trust

FLUXO holds maintenance, inspection, and compliance records that our customers depend on every day. This page describes how the platform is built and operated. Every statement here maps to a practice we actually run — nothing aspirational.

Architecture and tenant isolation

FLUXO is a multi-tenant platform on PostgreSQL. Every tenant record carries an organization identifier, and PostgreSQL Row-Level Security (RLS) policies enforce isolation at the database layer — beneath the application code — so one tenant’s users cannot read or write another tenant’s data. Role-based permissions (administrator, technician, viewer, and custom roles) are likewise enforced in database policy, not only in the interface.

Authentication

User sign-in is handled by Supabase Auth with short-lived JWT session tokens. Passwords are never stored by FLUXO; credential verification happens entirely inside Supabase Auth. Administrative access to production systems is limited to named HTECH personnel.

Encryption

All traffic between your browser or mobile device and FLUXO is encrypted in transit with TLS. Data at rest — the production database, file storage, and backups — is encrypted by our infrastructure provider (Supabase on AWS, AES-256).

Hosting and subprocessors

FLUXO runs on a small, deliberate set of infrastructure providers:

ProviderPurposeRegion
Supabase (on AWS)Database, authentication, file storage, serverless functionsAWS eu-west-1 (Dublin, Ireland)
VercelWeb application and website hosting / CDNGlobal edge network (US-headquartered)
StripeBilling and payment processing — card data never touches FLUXO serversGlobal (US-headquartered)
SMTP relayTransactional email (notifications, digests). Tenants may configure their own SMTP server so email never leaves their infrastructurePlatform-configured
AI providers (Anthropic, OpenAI, Google, DeepSeek)RUBI AI assistant — invoked only on request; tenants may bring their own API keyAnthropic, OpenAI, Google: US; DeepSeek: China. Tenant-selectable per organisation
SentryAnonymised application error monitoringUS/EU
Google AnalyticsWebsite usage analytics (marketing site only, never in-product data)Global

Backups and recovery

The production database is backed up automatically every day by Supabase. We are rolling out a monthly restore drill that recovers the latest backup into an isolated environment and verifies row counts and referential integrity on core tables; measured recovery-point and recovery-time figures (RPO/RTO) will be published on this page once the first drills complete.

Availability and monitoring

The production application is watched by independent external uptime checks every 30 minutes, plus automated daily end-to-end journey tests that exercise real sign-in, work-order, and inspection flows. A public status page is in rollout and will be linked here.

AI data handling

RUBI, the FLUXO AI assistant, calls a large-language-model provider only when a user invokes it, and only with the data needed to answer that request. Tenants can choose their provider and may bring their own API key, in which case AI traffic runs under the tenant’s own provider agreement. AI features are entitlement-gated and can be left disabled entirely.

Data export and deletion

Your data remains yours. Tenants can export their records at any time through the built-in report composer and compliance export functions (Excel/PDF). On contract termination, organization data is removed with a hardened deletion procedure that covers all dependent records, subject to the retention window in our privacy policy.

Responsible disclosure

If you believe you have found a security vulnerability in FLUXO or any HTECH service, please report it to the address below. We acknowledge reports promptly, will not pursue good-faith research, and ask that you give us reasonable time to remediate before public disclosure.

Security contact: security@htech.africa

Data processing agreement

A Data Processing Agreement (DPA), including the current subprocessor list below, is available on request for any customer or prospect. We update the subprocessor list before engaging a new subprocessor and notify customers with an active DPA of changes. Contact info@htech-global.online.