Security

All connections to BuildFlow are encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 by our database and storage providers. Passwords are hashed using bcrypt by our authentication provider.

BuildFlow runs on Vercel for application hosting and Supabase for database, authentication, and file storage. Our primary database is hosted in the EU. See our sub-processors page for the full list of vendors.

BuildFlow uses Row Level Security in the database to enforce fine-grained access controls. Users only see the projects, contracts, valuations, and documents they are authorised to access. Internal access to production data is restricted to a minimal number of authorised personnel and is logged.

Our database provider takes automated daily backups with 30-day retention. We test recovery procedures periodically to confirm we can restore service in the event of a failure.

We monitor application errors and infrastructure health through Sentry and the platform dashboards of our hosting providers. In the event of a personal data breach we will notify affected users and the UK Information Commissioner's Office in line with our obligations under UK GDPR.

If you believe you have found a security vulnerability in BuildFlow, please report it privately to security@build-flow.io. We will acknowledge receipt within three working days and aim to provide a status update within ten working days. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and fix it.

We do not currently operate a paid bug bounty programme but we welcome and appreciate responsible disclosures.

For a full security overview, including answers to common procurement questions, please email hello@build-flow.io.