Enterprise-grade security, transparent data practices, and a compliance roadmap built around regulated industries. Everything you need to evaluate EmpireFlow for Tier 3 and Tier 4 deployment.
EmpireFlow runs on infrastructure providers with independent SOC 2 Type II certifications. We inherit their controls and add our own application-layer hardening on top.
Hosted on Render (SOC 2 Type II) with Neon PostgreSQL (SOC 2 Type II) for the database layer. Static assets and file storage via Cloudflare R2. All providers carry independent audit reports available on request.
TLS 1.3 enforced on all connections — no fallback to older protocols. Data at rest encrypted with AES-256-GCM. OAuth tokens additionally encrypted at the application layer before storage.
Scoped API keys with principle of least privilege. OAuth 2.0 for third-party integrations. Optional SSO (SAML 2.0) for Enterprise tier deployments. JWT sessions with server-side invalidation on logout.
All credentials managed through environment isolation — no plaintext storage, no secrets in source control. Sandbox AI execution environments enforce allowlist-only env construction. Production credentials cannot be accessed by agent processes.
We collect what we need to run the product. We don't sell it, share it beyond your instruction, or use it to train models.
EU customer data processed under lawful basis. Data Processing Agreement (DPA) available on request for Enterprise accounts. Right to access, rectification, and erasure honored within 30 days.
California residents can request data disclosure, opt out of sale (we don't sell data), and request deletion. Consumer rights requests handled within 45 days. Contact: security@empireflow.ai
Customer data and conversation history are never used to train models — ours or any sub-processor's. OpenAI API is called with zero-retention configured. Your leads' data doesn't improve anyone else's product.
US data residency by default. EU data residency available on Enterprise tier (Empire Flow). Data residency options ensure your customer PII stays within required jurisdictions for compliance.
Compliance is a journey, not a checkbox. Here's our honest current state and target timeline.
Formal audit underway. Security controls mapped against Trust Services Criteria. Report will be available to Enterprise customers under NDA upon completion.
Designed for med spa and healthcare verticals on Enterprise tier. BAA (Business Associate Agreement) available for eligible customers. Data isolation, audit logging, and access controls meet HIPAA technical safeguard requirements.
We never touch, store, or transmit card data. All payment processing is handled exclusively by Stripe, a Level 1 PCI DSS certified provider. No cardholder data ever passes through EmpireFlow systems.
Data processing practices aligned with GDPR Article 6 lawful basis and CCPA requirements. DPA template available. Consent management, right-to-erasure flows, and sub-processor agreements in place.
Complete list of third-party services that process customer data on our behalf. Last updated May 2026.
| Vendor | Category | Purpose & Data Processed |
|---|---|---|
Stripe |
Payments |
Subscription billing and payment processing. Stripe handles all cardholder data — we receive only tokenized payment methods. PCI Level 1 certified. |
Postmark |
Email |
Transactional and drip email delivery (audit results, onboarding sequences, nurture emails). Recipient email addresses and message content transmitted. SOC 2 Type II certified. |
Twilio |
SMS / Voice |
Missed-call text-back automation and SMS follow-up sequences. Phone numbers and message content processed. ISO 27001 + SOC 2 certified. |
OpenAI |
AI Inference |
AI Employee conversation processing (chat, receptionist, SDR workflows). Called with zero-retention API — data is not used for training or stored beyond request duration. Enterprise API agreement in place. |
Neon |
Database |
Primary database hosting for all customer and lead data. US-East region by default. SOC 2 Type II certified. Encryption at rest and in transit enforced. |
Render |
Hosting |
Web application hosting and runtime environment. Processes all inbound traffic and runs application logic. SOC 2 Type II certified. US region by default. |
Cloudflare |
CDN / Storage |
Static asset delivery via CDN and file storage (R2). No customer PII stored — handles public assets and uploaded media only. SOC 2 Type II certified. |
EmpireFlow is a production business tool. Downtime costs you leads. Here's how we think about availability.
99.9% monthly uptime target across web application and API. Planned maintenance windows communicated 48 hours in advance via email.
Rolling deployments with zero-downtime cutover — no maintenance windows for standard releases. Database migrations run before code cuts over.
Daily automated backups with point-in-time recovery. 30-day retention. Backup restoration tested quarterly. Recovery time objective (RTO) under 4 hours.
Security incidents happen. What matters is how fast you know and how quickly they're resolved.
AI Employees interact with your customers. We've built safety layers that keep them on-script, on-brand, and within appropriate boundaries.
Enterprise evaluations include a security questionnaire walkthrough, architecture review, and access to compliance documentation under NDA.