FlowCrypt Security

We understand how important security and compliance are, and we’ve worked hard to ensure our products are secure. The security and protection of our customers’ data is our top priority. This page outlines our approach to security and compliance and details the technical controls that keep your data safe.

What is FlowCrypt?

FlowCrypt is an email encryption software that uses the OpenPGP standard to encrypt outgoing messages on your device, using keys that only you and your recipient can access. In OpenPGP, encryption is managed through a pair of public and private keys, which play a critical role in encrypting, decrypting, and digitally signing messages to ensure secure communication and data integrity.

When you use FlowCrypt to send an encrypted email, the recipient’s public key is used to encrypt the message. Only their private key can decrypt it and reveal its contents, ensuring confidentiality. The private key is also used to sign emails, allowing recipients to verify the sender’s authenticity and ensure message integrity.

FlowCrypt is currently available as a browser extension and as mobile apps for Android and iOS.

Privacy and Trust

FlowCrypt has procedures in place to limit access to sensitive information and systems strictly to necessary staff. All staff members have individual credentials, and multi-factor authentication is mandatory when accessing sensitive systems. Access to systems and data is restricted using role-based access control (RBAC) and the principle of least privilege, minimizing exposure to security risks.

FlowCrypt requires that its tools and service providers maintain a security posture equivalent to its own. We ensure that any suppliers we work with provide security assurances comparable to ours, and their access to data is strictly limited to what is necessary.

FlowCrypt does not sell or share customer information or data with third parties. For more details, see our Privacy Policy.

Access Control

All employees have unique usernames and passwords. System access is role-based, following the principles of deny-by-default and least privilege. Multi-factor authentication is mandatory for administrative and sensitive systems. Periodic access reviews ensure that only authorized personnel retain access. All access events are logged and monitored for suspicious activity.

Encryption

All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers to use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access and our mobile apps.

This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred.

Data Storage

We host our services on trusted infrastructure providers, including Amazon Web Services (AWS), Vultr Holdings, LLC, and UpCloud, all of which maintain strong physical and operational security standards. We ensure that all data is stored securely, with access tightly controlled and monitored. FlowCrypt minimizes data collection, and message content is never stored on our servers unless explicitly initiated by the user.

Application Security

• All application changes follow a change management policy requiring proper authorization. Our Software Development Life Cycle (SDLC) enforces secure coding practices and includes automated code analysis, vulnerability scanning, and manual reviews at key stages.

• Each code change undergoes peer review, security scanning, and required unit, integration, and security testing. All branches, features, and releases are reviewed by multiple team members, with final approval from a senior engineer.

• FlowCrypt uses private GitHub repositories and leverages built-in code review tools. SemaphoreCI handles continuous integration for both back-end and front-end development, ensuring deployments are version-controlled, tested, and monitored to reduce security risks.

Security Testing

Our software has been independently audited by the respected security firm Cure53, including reviews of the FlowCrypt browser extension, FlowCrypt Android app, and FlowCrypt iOS app. In addition, we continuously monitor for vulnerabilities and implement protective measures to keep our infrastructure secure.

Bug Bounty Program

We support and value responsible disclosure. Therefore, we operate a bug bounty program, and we welcome contributions from the security community. Please review our policy for scope, rules, and reward details.

Found a security issue?

If you believe you’ve discovered a security vulnerability or concern, please email us at security@flowcrypt.com. This will immediately alert our team, and we’ll respond as quickly as possible. Please use our PGP key if you’d like to encrypt your message.

For quick reference, here is the public key fingerprint for security@flowcrypt.com:

8A03 0BAB 42CA D97F F26A A25E 283D DD9A 77AD 6AF2

If you’ve found something sensitive, we kindly ask that you reach out discreetly via email so we can verify the issue, assess its impact, and coordinate a timely fix.