Security
Protecting your data and the security of your connected Instagram account is a core part of how we build ProfileFlow. This page outlines the technical and operational measures we have in place.
1. Our Security Commitment
Security is not an afterthought at ProfileFlow — it is built into how we design and operate every part of the platform. We handle sensitive data on your behalf, including Instagram OAuth tokens and customer interaction data, and we take that responsibility seriously.
Confidentiality
Your data and credentials are accessible only to you and the systems that need them to operate your automations.
Integrity
All data transfers are cryptographically verified. We use signature verification on every webhook payload we receive.
Availability
Redundant infrastructure and monitoring ensure your automation workflows remain available and responsive.
2. Encryption at Rest
All data stored by ProfileFlow is encrypted at rest using industry-standard algorithms.
- AES-256 Encryption: All account data, automation rules, and configuration settings stored in our database are encrypted using AES-256.
- Database Encryption: Our PostgreSQL database instances use encryption at the storage layer, ensuring data is protected even if physical storage media is compromised.
- Object Storage Encryption: Files, media, and assets uploaded to our cloud storage (S3-compatible) are encrypted at rest with server-side encryption.
- OAuth Token Encryption: Instagram and Google OAuth access and refresh tokens are stored in encrypted vaults with additional application-level encryption before reaching our database.
3. Encryption in Transit
All data transmitted between your browser, our servers, and third-party APIs is encrypted in transit.
- TLS 1.3: All connections to ProfileFlow use TLS 1.3 (the latest standard). TLS 1.0 and 1.1 are not accepted.
- HTTPS Enforcement: All HTTP requests are automatically redirected to HTTPS. There is no unencrypted path to our API or dashboard.
- HSTS Headers: HTTP Strict Transport Security (HSTS) is enforced across all ProfileFlow domains to prevent protocol downgrade attacks.
- API-to-API Traffic: Connections from ProfileFlow servers to Instagram Graph API, Google OAuth, and Razorpay are all made over TLS 1.3.
4. Access Controls
Access to your data is governed by multiple layers of controls.
- Role-Based Access Control (RBAC): Each workspace has role-scoped permissions. Workspace Admins can manage members and billing; regular Members access only the features assigned to their role.
- Workspace Isolation: Data from one workspace is never accessible to users of another workspace, even within the same organization.
- Internal Access Controls: ProfileFlow staff access to production data is restricted, logged, and requires multi-factor authentication. Customer data is accessed only for support purposes with the customer's consent.
- Audit Logging: All privileged actions — including account settings changes, Instagram account connections, and billing changes — are logged with timestamp, user, and action details.
5. OAuth & Token Security
Instagram and Google OAuth tokens represent the most sensitive data ProfileFlow handles. We apply additional protections beyond standard encryption.
- Short-Lived Access Tokens: We use short-lived access tokens where supported by the OAuth provider and refresh them automatically, minimizing the window of exposure for any single token.
- Refresh Token Rotation: Refresh tokens are rotated on each use. An old refresh token is immediately invalidated once a new one is issued.
- Tokens Never Logged: Instagram and Google access tokens are never written to application logs, error reporting systems, or monitoring dashboards.
- Immediate Revocation on Disconnect: When you disconnect your Instagram account or delete your ProfileFlow account, all stored tokens are immediately revoked and deleted from our systems.
- State Parameter: OAuth flows use a time-limited (10-minute) CSRF state parameter to prevent cross-site request forgery attacks during the authentication callback.
6. Webhook Security
ProfileFlow receives real-time event notifications from Meta and Razorpay via webhooks. Every webhook payload is cryptographically verified before processing.
Meta / Instagram Webhooks
All incoming Meta webhook events are verified using X-Hub-Signature-256 HMAC verification with our Meta app secret before any processing occurs. Payloads that fail signature verification are silently rejected.
Razorpay Webhooks
Razorpay payment and subscription events are verified using HMAC-SHA256 signature verification with our Razorpay webhook secret before any billing state is updated. This prevents fraudulent billing events.
7. Monitoring & Logging
We operate continuous monitoring to detect and respond to security incidents.
- Real-Time Security Monitoring: Automated alerts are triggered for anomalous patterns, including unusual authentication attempts, API rate limit breaches, and unexpected geographic access patterns.
- Audit Log Retention: Security and audit logs are retained for 90 days to support incident investigation and forensics.
- Anomaly Detection: Unusual automation activity (such as high-frequency trigger patterns) is flagged for review to detect potential account compromise.
- Incident Response: In the event of a security incident affecting your data, we will notify affected users within 72 hours of discovery and provide guidance on protective steps.
8. Vulnerability Reporting
We appreciate the security research community and are committed to responsible disclosure. If you discover a security vulnerability in ProfileFlow, please report it responsibly.
How to Report
- Email admin@profileflow.bio with the subject line "Security Vulnerability".
- Include a clear description of the vulnerability, the steps to reproduce it, and its potential impact.
- Please do not publicly disclose the vulnerability until we have had the opportunity to investigate and remediate.
Our Commitment
We will acknowledge receipt of your report within 48 hours, investigate all reports seriously, and keep you informed of our progress.
Bug Bounty
We do not currently operate a paid bug bounty program, but we publicly acknowledge researchers who responsibly disclose valid security issues.
For all other security questions or concerns, contact admin@profileflow.bio. See our Privacy Policy for how we handle your data.