Security. Engineered in.

01 Our approach

At Flockr, security is part of how we build, not a layer on top. Every change to the platform passes through code review, automated testing, and dependency scanning before it ships. Every system has documented procedures for monitoring, incident response, and recovery.

This page describes what we have today, with concrete dates for what's coming next. We don't list aspirational security postures. If we say we'll have something by a date, you can hold us to it. If we haven't built it yet, we'll tell you.

If you're evaluating Flockr from a security perspective and need detail beyond what's on this page, email security@flockr.co — we'll set up a call with someone who can answer technical questions directly.

02 Certifications

Independent attestations of our security posture. Available to customers and qualified prospects.

03 Infrastructure

Where your data lives

All Flockr platform data is hosted in Amazon Web Services (AWS), in the UK region (eu-west-2, London). We do not replicate data outside the UK.

Our marketing website (flockr.co) is hosted by Webflow. Webflow's compliance documentation is available at webflow.com/security.

Encryption

• In transit: All connections to Flockr use TLS 1.2 or higher. Older protocols are disabled.
• At rest: All data is encrypted using AES-256. Encryption keys are managed via AWS Key Management Service (KMS).

Network

• Production systems are isolated in private VPCs with strict ingress/egress controls.
• No direct public access to data stores — all access is brokered through the application layer.
• DDoS protection via AWS Shield.
• Web application firewall (WAF) rules in place to filter common attack patterns.

04 Application security

How we keep our code secure:

• Code review is required on every change to the codebase before merge. No exceptions.
• Automated dependency scanning flags vulnerable libraries on every pull request. We patch criticals within 72 hours.
• Static analysis runs on every pull request to catch common security issues before they reach production.
• Secrets management via AWS Secrets Manager. No hardcoded credentials in source code.
• Penetration testing performed periodically against the production platform. Executive summaries available under NDA.
• Security headers (HSTS, CSP, X-Frame-Options) deployed across the platform.

05 Access controls

Who can access what, and how we control it:

• Single sign-on (SSO) required for all Flockr staff via our identity provider.
• Multi-factor authentication (MFA) required on every staff account and every production system.
• Least-privilege access — staff have access only to the systems and data they need for their role.
• Audit logging records every access to production systems. Logs are retained for at least 12 months.
• Quarterly access reviews remove unused permissions.
• Background checks performed on staff with access to production systems, where legally permitted.
• Immediate revocation of all access on staff departure.

06 Operations

Monitoring

Production systems are monitored continuously. Automated alerts trigger paging for anomalies, errors, or signs of compromise. On-call rotation covers business-critical paths 24/7.

Incident response

We maintain documented incident response procedures covering detection, containment, communication, and recovery. Tabletop exercises run periodically. Incidents are reviewed in blameless post-mortems.

Breach notification

In the event of a personal data breach, we will notify affected customers and the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware, in line with UK GDPR.

Business continuity

Documented disaster recovery procedures with regular testing. Production data is backed up automatically, with backups stored in a separate AWS region for resilience.

07 Our policies

We maintain the following internal policies. The first three are available under NDA to customers and qualified prospects; the fourth is published openly.

• Information Security Policy — defines our security controls, responsibilities, and acceptable use.
• Data Protection Policy — defines how we handle personal data under UK GDPR.
• Business Continuity Policy — defines our disaster recovery, resilience, and incident response procedures.
• Privacy Policy — published openly at flockr.co/privacy.

To request a copy of any of the first three, email security@flockr.co.

08 Responsible disclosure

If you discover a security vulnerability in any Flockr system, we want to hear about it. Good-faith security research is welcome and we will not take legal action against researchers who follow this policy.

How to report

• Email: security@flockr.co
• PGP key: available on request
• Please include enough detail to reproduce the issue. Screenshots, request/response captures, and PoC code all help.

What we commit to

• Acknowledge your report within 24 hours.
• Investigate and provide regular updates on our progress.
• Credit you publicly once the issue is resolved (with your permission).
• Not pursue legal action against good-faith researchers who follow this policy in spirit.

Scope

09 Documents on request

The following documents are available to qualified prospects and customers, typically under NDA:

• Data Processing Addendum (DPA) — for customers who need a signed DPA to satisfy UK GDPR or EU GDPR obligations.
• Cyber Essentials certificate — proof of current certification.
• Information Security Policy
• Data Protection Policy
• Business Continuity Policy
• Penetration test executive summary — when available, redacted as appropriate.
• Security questionnaire — we maintain a pre-filled response to common questionnaires (CAIQ-style), available on request to save time on both sides.

To request any of these, email security@flockr.co with a brief note about which documents you need and your role.

10 Contact

For security-related questions or disclosures: