How FlowTrack keeps your data secure

When you trust FlowTrack with your financial data, we take that responsibility seriously. This article explains the specific technical and operational measures we use to protect your information. No vague promises — just specifics.

The Biggest Security Feature: No Bank Access

FlowTrack is 100% manual. We never ask for your bank credentials — no username, no password, no PIN, no OTP. We do not connect to your bank accounts at all. There is no bank linking, no third-party data pipeline, and no automated sync.

This is a deliberate security choice. If we never have your credentials, they can never be stolen from us. If we never connect to your bank, that connection can never be compromised.

Your money is completely untouchable by FlowTrack — because we have zero access to your accounts.

Encryption

Data at Rest

All your financial data stored in FlowTrack's databases is encrypted using AES-256 encryption. AES-256 is the same encryption standard used by banks, government agencies, and military applications worldwide. It is considered computationally infeasible to break with current technology.

This means that even if someone gained physical access to our storage hardware, your data would be unreadable without the encryption keys.

Data in Transit

Every connection between your device and FlowTrack's servers uses TLS 1.3 (Transport Layer Security), the latest and most secure version of the protocol. This encrypts all data as it travels over the internet, preventing anyone from intercepting or reading it.

We enforce HTTPS on all endpoints. HTTP connections are automatically redirected. We also use HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks.

Encryption Key Management

Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation. No single FlowTrack employee has access to raw encryption keys. Key access is logged and audited.

Infrastructure

Hosting

FlowTrack's infrastructure runs on Amazon Web Services (AWS) in the Mumbai (ap-south-1) region. This means your data is stored in India, which is important for compliance with Indian data protection regulations.

Our infrastructure includes:

• Virtual Private Cloud (VPC) — our servers are isolated in a private network, not accessible from the public internet
• Web Application Firewall (WAF) — filters malicious traffic before it reaches our servers
• DDoS protection — AWS Shield protects against distributed denial-of-service attacks
• Auto-scaling — our infrastructure automatically scales to handle traffic spikes without degradation

Database Security

• Databases are in private subnets with no direct internet access
• Database access requires both network-level and credential-level authentication
• All database connections are encrypted
• Database backups are encrypted and stored in a separate AWS account

Access Controls

Employee Access

• FlowTrack operates on a principle of least privilege — employees only have access to the systems and data they need for their specific role
• Access to production systems requires multi-factor authentication and is logged
• No FlowTrack employee can view your raw financial data in the normal course of their work. Customer support tools show only aggregated and anonymised information
• Any access to individual user data for debugging requires explicit approval from two senior engineers and is time-limited and fully logged

Internal Security Policies

• All employees undergo security awareness training during onboarding and quarterly thereafter
• Company devices have enforced encryption, screen lock, and remote wipe capabilities
• Code changes require peer review from at least one other engineer before deployment
• We maintain a security incident response plan with defined escalation procedures

Security Testing

Penetration Testing

We conduct external penetration testing at least once a year through independent security firms. These tests simulate real-world attacks against our infrastructure, APIs, and applications. All findings are remediated according to severity:

• Critical: Fixed within 24 hours
• High: Fixed within 7 days
• Medium: Fixed within 30 days
• Low: Fixed within 90 days

Continuous Monitoring

• Automated vulnerability scanning runs weekly across all infrastructure
• Dependency scanning checks for known vulnerabilities in third-party libraries
• Security Information and Event Management (SIEM) monitors for suspicious activity in real time
• Intrusion detection systems alert our security team to unusual access patterns

Data Retention and Deletion

• Active user data is retained as long as your account is active
• When you delete your account, all personal data is permanently deleted within 30 days
• Anonymised aggregate data (used for product analytics) may be retained, but it cannot be linked back to you
• Backups containing deleted user data are purged on the same 30-day cycle

Compliance

FlowTrack operates in compliance with:

• Digital Personal Data Protection Act, 2023 (DPDP) — we follow all data protection requirements including consent management, purpose limitation, and data minimisation
• Information Technology Act, 2000 — we implement reasonable security practices as defined under Section 43A