Certflo

Security

Your carrier data, locked down by default.

Every document in Certflo is encrypted, every carrier's data is isolated, and every access path is audited. Here is exactly how.

Last updated · April 2026

Encryption

In transit. All traffic between your browser, the Certflo API, and the document storage layer travels over TLS 1.2 or higher. Connections that downgrade below TLS 1.2 are refused. HSTS is enabled on every public endpoint.

At rest. Every document you upload is encrypted with AES-256 on the storage layer. Every record in the Postgres database is encrypted with AES-256. Backups are encrypted with the same standard. No unencrypted data path exists, end to end.

Tenant Isolation

Every carrier is a separate workspace. Data does not flow between workspaces. Isolation is enforced three ways:

  • Row-level security in Postgres. Every user-data table has an RLS policy that gates reads and writes to the authenticated user's workspace membership. The database will not return rows from a workspace the user is not a member of, even if the application code has a bug.
  • Storage path isolation. Every document in object storage is stored at <workspace_id>/<document_id>/<filename>. The storage RLS policy checks workspace membership before any read or write.
  • No shared credentials. Each user authenticates individually. No carrier shares a service account or API key.

Role-Based Access

Within a workspace, access is further restricted by role (branch manager, supervisor, dispatch, driver). Drivers see only their own files. Dispatch sees load assignment and compliance status, not medical variance details. Branch managers see everything in their workspace. Role enforcement happens at the data layer (RLS policies), not just the UI.

Data Residency

All Certflo infrastructure (database, storage, compute) is hosted in the United States. Your documents do not leave U.S. data centers during normal operation. Cross-region backup replication, if enabled, stays within U.S. regions.

Backups and Recovery

Database backups run daily and are retained for 7 days by default on a rolling window. Point-in-time recovery is available for the past 7 days. Document storage has redundant copies across availability zones. We test restore procedures periodically.

Subprocessors

Certflo uses the following third-party services to deliver the product. Each is listed with its role and public security documentation.

Subprocessor Purpose Location
Supabase Postgres database, authentication, object storage United States
Cloudflare Marketing site hosting, CDN, DDoS protection Global edge, U.S. origin
Stripe Payment processing and billing United States

Certflo does not store your credit card details. Stripe handles every payment flow under PCI DSS Level 1.

Authentication and Sessions

User accounts authenticate with email and password through Supabase Auth. Passwords are hashed using bcrypt with per-user salts. Sessions use JWT tokens signed with rotating asymmetric keys. Logged-out users lose all access immediately; compromised tokens can be revoked server-side.

Rate Limiting and Abuse Prevention

Critical endpoints (signup, login, document extraction, invite acceptance) are rate-limited per IP and per account. Excess requests are rejected before they reach the database. CORS is restricted to the Certflo application origin.

Employee Access

Only the three Certflo co-owners have production database access. Every access event is logged. We do not read your documents as a matter of practice. If a support issue requires us to look at specific records, we ask for your written consent first.

Compliance Certifications

Certflo is a new product and has not yet completed independent audits such as SOC 2 Type I. Our underlying infrastructure providers (Supabase, Cloudflare, Stripe) carry SOC 2, ISO 27001, and PCI DSS certifications. As our customer base grows, we plan to pursue SOC 2 directly.

Incident Response

If a data breach affecting your carrier's records occurs, we will notify affected workspace owners via the email address on file within 72 hours of confirmed detection. The notice will include what data was affected, what we know about the cause, and what steps we are taking.

Responsible Disclosure

Found a security issue? Please report it privately through the in-app messaging system or by contacting Mesquite Dev LLC directly. Do not open public GitHub issues or post publicly before we have had a chance to respond. We appreciate researchers who give us time to fix an issue before disclosing it.

Your Responsibilities

Security is a shared model. You are responsible for:

  • Keeping your login credentials private and unique
  • Removing terminated employees from your workspace promptly
  • Assigning roles appropriately (do not give drivers dispatch access)
  • Using a trusted device to log in

Questions

For security or privacy questions, reach out through the in-app messaging system or contact the team at Mesquite Dev LLC. We answer security questions within one business day.

This page reflects Certflo's security posture as of the last update date above. Practices may change; material changes will be reflected here and communicated to active customers.