Encryption

FluxCascade uses industry-standard encryption to protect your data at every stage. This document explains our encryption practices.

Encryption Overview

Stage	Protection	Standard
In Transit	TLS 1.2+ encryption	HTTPS everywhere
At Rest	AES-256 encryption	Database and storage
Credentials	AES-256-GCM encryption	OAuth tokens, API keys
Passwords	Argon2id hashing	One-way hash, not reversible

Data in Transit

TLS/SSL Encryption

All data transmitted to and from FluxCascade is encrypted:

Protocol: TLS 1.2 or TLS 1.3
Certificates: Valid, trusted CA-issued certificates
HSTS: HTTP Strict Transport Security enabled
Forward Secrecy: ECDHE key exchange

API Communications

When FluxCascade connects to external systems:

All connections use HTTPS
Certificate validation is enforced
Modern cipher suites only
No fallback to unencrypted connections

Webhook Security

Webhooks are secured with:

HTTPS-only endpoints
Signature verification headers
Timestamp validation to prevent replay attacks

Data at Rest

Database Encryption

All stored data is encrypted:

Algorithm: AES-256
Mode: Encryption at rest enabled at infrastructure level
Key management: Keys stored in secure key management system
Automatic: All data encrypted transparently

What's Encrypted

Account information
Mapping configurations
Sync logs
Audit trails
Connection metadata

OAuth Token Encryption

Sensitive credentials get additional protection:

OAuth Access Token → AES-256-GCM encryption → Stored
                     ↑
              Unique encryption key per token

Each token encrypted with unique key
Keys stored separately from encrypted data
Encryption keys are rotated periodically

Password Security

User passwords are never stored in plain text:

Hashing Algorithm

We use Argon2id, the winner of the Password Hashing Competition:

Memory-hard to resist GPU attacks
Time-cost parameter for brute-force resistance
Salt included for uniqueness
Not reversible – we can't read your password

Password Requirements

Minimum 8 characters
Checked against known breached passwords
Strength meter during creation
Rate-limited login attempts

Key Management

Encryption Keys

Stored in dedicated key management service
Never stored alongside encrypted data
Access logged and audited
Automatically rotated

Key Hierarchy

Master Key (HSM-protected)
    ↓
Data Encryption Keys (per-tenant)
    ↓
Credential Encryption Keys (per-connection)

This limits the blast radius if any single key is compromised.

Infrastructure Security

Cloud Security

Our infrastructure includes:

Encrypted storage volumes
Encrypted network traffic between services
Private network for internal communication
No data on local disks

Backup Encryption

All backups are encrypted:

Same AES-256 encryption as primary data
Backups stored in separate region
Encrypted in transit to backup location

API Key Security

Your API keys are protected:

Storage

Hashed before storage (like passwords)
Only you see the full key once at creation
We can't retrieve your key – only verify it

Best Practices

Rotate keys periodically
Use scoped keys with minimal permissions
Never commit keys to source control
Use environment variables

Audit Trail

All encryption-related events are logged:

Key access attempts
Token decryption events
Failed authentication attempts
Administrative access

Logs are retained and available for compliance review.

Compliance Certifications

Our encryption practices meet:

SOC 2 Type II – Security controls audited
GDPR – Appropriate technical measures
HIPAA – Encryption requirements (with BAA)

See Compliance for details.

Verifying Security

Connection Verification

Verify FluxCascade is using HTTPS:

Check for padlock icon in browser
Certificate should show "fluxcascade.com"
Use browser dev tools to verify TLS version

API Verification

Our API enforces security:

# HTTPS required - HTTP redirects to HTTPS
curl http://api.fluxcascade.com/...
# → 301 Redirect to https://...

# Modern TLS only
curl --tlsv1.1 https://api.fluxcascade.com/...
# → Connection refused

Security Updates

We continuously update our security:

Monitor for vulnerabilities in dependencies
Apply security patches promptly
Upgrade encryption standards as needed
Regular security assessments

Questions?

For security questions:

Email: security@fluxcascade.com

For security vulnerabilities, see our Responsible Disclosure policy.

Data Privacy – How we handle your data
Compliance – Certifications and standards
API Authentication – Secure API access

Encryption

FluxCascade uses industry-standard encryption to protect your data at every stage. This document explains our encryption practices.

Encryption Overview

Stage	Protection	Standard
In Transit	TLS 1.2+ encryption	HTTPS everywhere
At Rest	AES-256 encryption	Database and storage
Credentials	AES-256-GCM encryption	OAuth tokens, API keys
Passwords	Argon2id hashing	One-way hash, not reversible

Data in Transit

TLS/SSL Encryption

All data transmitted to and from FluxCascade is encrypted:

Protocol: TLS 1.2 or TLS 1.3
Certificates: Valid, trusted CA-issued certificates
HSTS: HTTP Strict Transport Security enabled
Forward Secrecy: ECDHE key exchange

API Communications

When FluxCascade connects to external systems:

All connections use HTTPS
Certificate validation is enforced
Modern cipher suites only
No fallback to unencrypted connections

Webhook Security

Webhooks are secured with:

HTTPS-only endpoints
Signature verification headers
Timestamp validation to prevent replay attacks

Data at Rest

Database Encryption

All stored data is encrypted:

Algorithm: AES-256
Mode: Encryption at rest enabled at infrastructure level
Key management: Keys stored in secure key management system
Automatic: All data encrypted transparently

What's Encrypted

Account information
Mapping configurations
Sync logs
Audit trails
Connection metadata

OAuth Token Encryption

Sensitive credentials get additional protection:

OAuth Access Token → AES-256-GCM encryption → Stored
                     ↑
              Unique encryption key per token

Each token encrypted with unique key
Keys stored separately from encrypted data
Encryption keys are rotated periodically

Password Security

User passwords are never stored in plain text:

Hashing Algorithm

We use Argon2id, the winner of the Password Hashing Competition:

Memory-hard to resist GPU attacks
Time-cost parameter for brute-force resistance
Salt included for uniqueness
Not reversible – we can't read your password

Password Requirements

Minimum 8 characters
Checked against known breached passwords
Strength meter during creation
Rate-limited login attempts

Key Management

Encryption Keys

Stored in dedicated key management service
Never stored alongside encrypted data
Access logged and audited
Automatically rotated

Key Hierarchy

Master Key (HSM-protected)
    ↓
Data Encryption Keys (per-tenant)
    ↓
Credential Encryption Keys (per-connection)

This limits the blast radius if any single key is compromised.

Infrastructure Security

Cloud Security

Our infrastructure includes:

Encrypted storage volumes
Encrypted network traffic between services
Private network for internal communication
No data on local disks

Backup Encryption

All backups are encrypted:

Same AES-256 encryption as primary data
Backups stored in separate region
Encrypted in transit to backup location

API Key Security

Your API keys are protected:

Storage

Hashed before storage (like passwords)
Only you see the full key once at creation
We can't retrieve your key – only verify it

Best Practices

Rotate keys periodically
Use scoped keys with minimal permissions
Never commit keys to source control
Use environment variables

Audit Trail

All encryption-related events are logged:

Key access attempts
Token decryption events
Failed authentication attempts
Administrative access

Logs are retained and available for compliance review.

Compliance Certifications

Our encryption practices meet:

SOC 2 Type II – Security controls audited
GDPR – Appropriate technical measures
HIPAA – Encryption requirements (with BAA)

See Compliance for details.

Verifying Security

Connection Verification

Verify FluxCascade is using HTTPS:

Check for padlock icon in browser
Certificate should show "fluxcascade.com"
Use browser dev tools to verify TLS version

API Verification

Our API enforces security:

# HTTPS required - HTTP redirects to HTTPS
curl http://api.fluxcascade.com/...
# → 301 Redirect to https://...

# Modern TLS only
curl --tlsv1.1 https://api.fluxcascade.com/...
# → Connection refused

Security Updates

We continuously update our security:

Monitor for vulnerabilities in dependencies
Apply security patches promptly
Upgrade encryption standards as needed
Regular security assessments

Questions?

For security questions:

Email: security@fluxcascade.com

For security vulnerabilities, see our Responsible Disclosure policy.

Data Privacy – How we handle your data
Compliance – Certifications and standards
API Authentication – Secure API access

Encryption

Encryption Overview

Data in Transit

TLS/SSL Encryption

API Communications

Webhook Security

Data at Rest

Database Encryption

What's Encrypted

OAuth Token Encryption

Password Security

Hashing Algorithm

Password Requirements

Key Management

Encryption Keys

Key Hierarchy

Infrastructure Security

Cloud Security

Backup Encryption

API Key Security

Storage

Best Practices

Audit Trail

Compliance Certifications

Verifying Security

Connection Verification

API Verification

Security Updates

Questions?

Related

Encryption

Encryption Overview

Data in Transit

TLS/SSL Encryption

API Communications

Webhook Security

Data at Rest

Database Encryption

What's Encrypted

OAuth Token Encryption

Password Security

Hashing Algorithm

Password Requirements

Key Management

Encryption Keys

Key Hierarchy

Infrastructure Security

Cloud Security

Backup Encryption

API Key Security

Storage

Best Practices

Audit Trail

Compliance Certifications

Verifying Security

Connection Verification

API Verification

Security Updates

Questions?

Related