Security

1. Our Approach

FleetFlow (the "Service") is operated by FORGEAI STUDIO LTD, a company registered in England and Wales, trading as "NovaStack" ("we", "us" or "our"). FleetFlow is powered by NovaStack. We take the security of your data seriously and design the Service with security and data protection in mind at every layer.

This page describes the key technical and organisational measures we use to protect the Service and the data it holds. It should be read together with our Privacy Policy, Terms of Service and Acceptable Use Policy. No system can be guaranteed to be completely secure, but we work continuously to protect your information and to improve our safeguards over time.

Key measures at a glance:

• Encryption in transit (TLS) and encryption at rest.
• Authentication via Supabase Auth using JSON Web Tokens (JWTs) and securely hashed passwords.
• Account-level data isolation enforced by Postgres row-level security (RLS).
• Resilient infrastructure using Cloudflare's global edge and Supabase (Postgres) hosted in an EU/UK region.
• Managed, automated backups with point-in-time recovery where available.
• Payment processing handled by Stripe (PCI-DSS); we never store card numbers.

2. Encryption

All data transmitted between your browser or device and the Service is encrypted in transit using industry-standard Transport Layer Security (TLS). Data at rest is encrypted on our managed infrastructure, helping to protect it against unauthorised access to the underlying storage.

3. Authentication

User authentication is handled by Supabase Auth. Sessions are managed using signed JSON Web Tokens (JWTs), and user passwords are stored using strong, one-way hashing rather than in plain text. We continue to evaluate additional protections, including optional multi-factor authentication (MFA), which we intend to make available in future.

4. Access Controls and Data Isolation

The Service uses Postgres row-level security (RLS) to enforce strict data isolation between accounts. RLS policies ensure that each account can only access its own data, so one customer's records cannot be read or modified by another. Access to data is granted on a least-privilege basis, and access to production systems by our personnel is restricted to those who require it.

5. Infrastructure

The Service is delivered through Cloudflare's global edge network, which provides performance, reliability and protection against common network-level threats. Our database, authentication and storage are provided by Supabase, built on PostgreSQL, hosted in an EU/UK region. We rely on the robust physical and operational security controls maintained by these established infrastructure providers.

6. Data Storage and Backups

Customer data is stored in our managed Supabase (Postgres) database. Automated backups are performed by our managed infrastructure, and point-in-time recovery is available where supported. These measures are designed to help us restore data and maintain service continuity in the event of an incident.

7. Payment Security

All payments are processed by Stripe, a PCI-DSS compliant payment provider. Card details are submitted directly to Stripe and are handled within their secure environment. We never see or store your full card numbers on our systems.

8. Monitoring

We monitor the Service and its supporting infrastructure for availability, errors and signs of suspicious or anomalous activity. Logging and monitoring help us detect, investigate and respond to potential security issues, and to maintain the reliability of the Service.

9. Responsible Disclosure

We welcome reports from security researchers and users who identify potential vulnerabilities in the Service. If you believe you have found a security issue, please report it to us by email at support@fleetflowtech.com with enough detail for us to reproduce and investigate the issue.

We ask that you act in good faith, avoid accessing or modifying data that does not belong to you, allow us a reasonable period of time to investigate and remediate the issue, and refrain from publicly disclosing any vulnerability before we have had the opportunity to fix it. We will acknowledge legitimate reports and work to address confirmed issues promptly.

10. Contact

If you have any questions about the security of the Service, please contact us at support@fleetflowtech.com. FleetFlow is operated by FORGEAI STUDIO LTD (trading as NovaStack), a company registered in England and Wales. These matters are governed by the laws of England and Wales.