FlowNurture
Start free

Security

Built for trust from the ground up.

FlowNurture stores and processes customer data on behalf of the teams using it. This page documents the specific security controls in place — what is enforced, how it works, and what you can rely on.

Questions not answered here? Contact us.

Data isolation

Every tenant's data is structurally isolated

FlowNurture is a multi-tenant platform. Every record — contacts, campaigns, workflows, forms, and analytics events — is scoped to an organization at the database layer. Tenant isolation is enforced by the backend on every query; it cannot be bypassed from the frontend.

  • Every database query includes an organizationId filter, enforced server-side
  • The frontend never passes an organizationId — the backend resolves it from the authenticated session
  • Cross-tenant data access is structurally prevented, not just policy-gated
  • New organizations start with a clean, empty data scope — no data bleeds from other tenants

Access control

Role-based access with JWT authentication

Access to every resource in FlowNurture is controlled by a role hierarchy. JWT tokens identify and authorize the caller on every request. Route guards run server-side — a role mismatch is a hard failure, not a UI hide.

  • Three-tier RBAC: SUPER_ADMIN (platform-wide), ORG_ADMIN (workspace management), MEMBER (operational access)
  • JWT tokens are used for all authenticated requests — short-lived access tokens stored client-side
  • Role guards run at the backend controller layer and cannot be bypassed through the API
  • Admin routes (/admin) require SUPER_ADMIN; workspace routes enforce ORG_ADMIN or MEMBER as appropriate
  • Members cannot escalate their own permissions within an organization

Plan entitlements

Feature access is enforced at the API layer

Every plan-gated feature — AI Writing, AI Copilot, CRM integrations, advanced segments — is enforced by the backend on every request. Disabling UI controls is cosmetic; the API will reject calls that exceed a plan's entitlements regardless of what the client sends.

  • Entitlement checks run at the API controller layer, not just the frontend
  • Attempting to use a feature above your plan returns a 403 — no data is returned
  • Plan downgrades take effect at the start of the next billing cycle; features remain accessible until then
  • Usage limits (email volume, contact counts) are enforced server-side in real time

Integration security

Signed webhooks and encrypted CRM credentials

When FlowNurture sends data to external systems — via webhooks or CRM syncs — it does so with authentication and encryption built in. CRM credentials are never stored in plaintext, and webhook payloads are signed so receivers can verify origin.

  • All outbound webhooks include a cryptographic HMAC signature in the request header
  • Receiving systems can verify each payload using the shared secret — replayed or tampered payloads fail verification
  • CRM OAuth tokens and API keys (HubSpot, Salesforce, Pipedrive) are encrypted at rest
  • Credentials are never returned in API responses, never logged, and never exposed to the frontend
  • Integration tokens can be revoked from Settings at any time, immediately invalidating the connection

Email compliance

Unsubscribes and suppressions are always honoured

FlowNurture treats unsubscribes and bounces as hard constraints, not preferences. Once a contact opts out or hard-bounces, they are suppressed across all future sends — campaigns, workflows, and one-off emails — automatically and without exception.

  • Unsubscribe requests are processed immediately and applied globally across all sending
  • Hard bounces are automatically added to the suppression list after the first occurrence
  • Suppression list is checked before every send — suppressed contacts are excluded at the delivery layer
  • One-click unsubscribe links are included in all campaign and workflow emails by default
  • Complaint feedback loops are monitored; repeated complaints trigger automatic suppression
  • Starter and above plans include DKIM, SPF, and DMARC configuration for authenticated domain sending

API security

Scoped API keys with explicit permissions

Every API key issued by FlowNurture has an explicit permission scope. Keys can be scoped to specific resources and access levels — a read-only reporting key cannot write data, and a contacts key cannot access campaign configuration. Keys can be revoked instantly.

  • API keys are scoped at creation time — read, write, or both, per resource category
  • A key's scope cannot be expanded after creation; a new key must be issued
  • Keys can be revoked from Settings at any time — revocation is immediate
  • Key values are only shown once at creation and are not retrievable thereafter
  • All API requests are authenticated; unauthenticated requests to protected endpoints return 401
  • Rate limiting is applied per key to prevent abuse

What this page covers

This page describes security controls that are part of FlowNurture's platform architecture — data isolation, access control, authentication, integration security, email compliance, and API scoping. It does not make claims about external certifications, third-party audits, or compliance frameworks. If you have specific compliance requirements, please contact us to discuss your needs directly.

FAQ

Security questions

Can one customer see another customer's data?

No. Tenant isolation is enforced structurally at the database layer. Every query is scoped by organizationId on the backend — there is no code path that allows one tenant to access another's data.

How are CRM credentials protected?

OAuth tokens and API keys for HubSpot, Salesforce, and Pipedrive are encrypted at rest before being stored. They are never returned in API responses, never logged, and are not accessible from the frontend. You can revoke access from Settings at any time.

How can I verify that a webhook came from FlowNurture?

Every webhook from FlowNurture includes an HMAC-SHA256 signature in the X-FlowNurture-Signature header, computed using your endpoint's shared secret. Verify the signature on your server before processing the payload. Payloads with invalid or missing signatures should be rejected.

What happens if an employee leaves and had access to a workspace?

ORG_ADMINs can remove member access from Settings → Team. Removal is immediate — the member's session tokens are invalidated and they lose access to all workspace data. CRM integration tokens connected under their account can also be revoked separately.

Can a Member escalate their permissions?

No. Role changes must be made by an ORG_ADMIN. Members cannot modify their own role or grant themselves additional access. The backend rejects any request that would allow self-escalation.

How does FlowNurture handle unsubscribes?

Unsubscribe requests are processed immediately and applied globally. Every campaign and workflow email includes an unsubscribe link. Once a contact opts out, they are suppressed at the delivery layer before any future send — they cannot be re-enrolled in campaigns or workflows until they explicitly re-subscribe.

What is the difference between DKIM/SPF/DMARC and dedicated IPs?

DKIM, SPF, and DMARC (available on Starter and above) authenticate your sending domain so receiving mail servers can verify the email actually came from you. Dedicated IPs (Pro) mean your sending reputation is entirely your own — shared only with your own sending volume, not other senders on a shared pool.

Have a specific security question?

If you're evaluating FlowNurture for your team and need to discuss specific security requirements, data handling, or integration architecture, we're happy to answer directly.

Contact usSee pricing