Six layers between
your data and the world.

AuditFlow protects your client data with the same encryption, isolation, and access controls used by financial institutions. Here’s exactly how.

TLS 1.3 in transit

AES-256 at rest

Tenant isolation

bcrypt passwords

RBAC enforced

90-day audit log

1Encryption

Data is encrypted at every stage. Nothing travels or sits in plaintext.

In transit

HTTPS / TLS 1.3

API calls, portal access, file uploads, webhooks

HSTS enforced · 2-year max-age · preload

At rest

AES-256

Sensitive fields encrypted at the column level

Backups encrypted before leaving infrastructure

Every response includes:

HSTSX-Frame-Options: DENYCSPX-Content-Type-OptionsReferrer-PolicyPermissions-Policy

2Tenant isolation

Every organization is a walled garden. Your data is architecturally invisible to every other account on the platform.

Your organization

PropertiesAuditsReportsPhotosUsers

Other tenants

InvisibleUnreachableNo cross-query

Every database query includes a tenantIdfilter. Even if someone obtained another tenant’s resource ID, the query returns nothing. This isn’t access control — it’s architectural separation.

3Authentication

Passwords are hashed, tokens are short-lived, API keys are one-time-view.

Password

bcrypt with 10 salt rounds. Never stored or logged in plaintext.

Token

JWT (HS256) issued with userId, tenantId, and role. Validated on every request.

API Key

af_live_ prefixed, bcrypt-hashed at rest. Raw key shown once at creation.

Middleware

Every route passes through auth middleware. Tenant boundary enforced before any data access.

4Access control

Three roles. Clear boundaries. Every action is gated.

Admin

Full access. Manage users, billing, settings, API keys.

UsersBillingAPI keysSettingsAll data

Auditor

Field worker. Create audits, manage properties, generate reports.

AuditsPropertiesReportsNo usersNo billing

Viewer

Read-only. View audits, reports, and property data.

ViewNo createNo editNo delete

5Activity logging

Every significant action is recorded. Who did what, when, from where. Your audit trail for the audit trail.

Events we track

LoginAudit createdAudit completedReport generatedData exportedUser invitedRole changedPortal accessedSettings changedAPI key createdProposal sentLogout

Each entry captures

TimestampISO 8601, millisecond precision

UserAuthenticated user ID & name

IPClient IP at time of request

ActionEvent type + target resource

Retention90 days, then automatically purged

6Responsible disclosure

Found something? Tell us. We’ll acknowledge your report within 48 hours and work to resolve it promptly. We credit researchers who help us improve.

security@auditflowtech.com

Security you don’t have to think about.

14-day free trial. No credit card required.

Start free trial