Last updated: 1 March 2026
At FlowFi, the security of your financial data is our highest priority. We employ industry-standard security practices and continuously monitor and improve our security posture to protect your information.
All data transmitted between your browser and FlowFi is encrypted using TLS 1.2 or higher (HTTPS). Your financial data is encrypted at rest using AES-256 encryption within our database infrastructure provided by Supabase, which runs on AWS infrastructure in the Sydney (ap-southeast-2) region.
Your data is stored on servers located in Australia (AWS Sydney region). This ensures compliance with Australian data sovereignty requirements and means your financial information does not leave Australian jurisdiction for primary storage and processing.
FlowFi uses Supabase Auth for secure authentication, supporting email/password sign-in with secure password hashing (bcrypt). All database tables are protected by Row Level Security (RLS) policies, ensuring that application queries can only return data belonging to the authenticated user. This isolation is enforced at the database engine level, not just in application code, providing defence-in-depth against data leakage.
We believe in being transparent about who can access your data and how that access is controlled. Like all software companies, a limited number of FlowFi personnel have access to production infrastructure for essential purposes including system maintenance, incident response, and customer support.
To protect your data, we implement the following controls:
Audit logging: All administrative access to production data is recorded in tamper-evident audit logs, including what was accessed, when, and by whom.
Least privilege: Administrative access is restricted to the minimum level necessary. Automated processes such as business metrics use aggregated, anonymised queries that do not expose individual financial records.
Confidentiality: All FlowFi personnel with production access are bound by confidentiality obligations. We do not routinely view, browse, or access individual customer financial data.
Centralised credentials: Privileged database credentials are confined to a single authentication module and are not embedded across the application codebase.
FlowFi imports your financial data through CSV and PDF bank statement uploads. FlowFi never connects directly to your bank or stores your bank login credentials. PDF statements are processed using AI to extract transaction data, and all uploaded files are encrypted and securely processed.
You can delete your uploaded data at any time through the FlowFi dashboard.
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. FlowFi never stores, processes, or has access to your full credit card numbers. Payment information is transmitted directly to Stripe's secure servers.
FlowFi uses AI models to categorise transactions and generate financial insights. Your financial data is processed securely and is not used to train third-party AI models. AI processing occurs in real-time and transaction data is not retained by AI service providers beyond the immediate request.
FlowFi is hosted on Vercel's edge network for the application layer and Supabase (AWS) for the database layer. Both providers maintain SOC 2 Type II compliance and implement comprehensive security controls including network isolation, automated vulnerability scanning, and 24/7 monitoring.
In the unlikely event of a data breach, FlowFi will notify affected users and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988, within the required timeframes.
To help keep your account secure, we recommend using a strong, unique password for your FlowFi account, keeping your sign-in credentials confidential, signing out of shared or public devices, and regularly reviewing your connected bank accounts and transaction data for any discrepancies.
If you discover a security vulnerability or have concerns about the security of your data, please contact us immediately at security@flowfi.com.au. We take all security reports seriously and will respond promptly.
© 2026 FlowFi Pty Ltd (ACN 695 755 312). All rights reserved.