Privacy Policy

1.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Organization name and details
• Job title and role
• Phone number (optional, added in profile settings)

Note: Authentication is managed by WorkOS. We do not collect, store, or have access to your password. All authentication credentials are handled entirely by WorkOS infrastructure, including SSO, MFA, and password-based login flows.

1.2 Payment Information

When you subscribe to our services, we collect:

• Billing address
• Subscription plan and billing period (monthly or annual)
• Transaction history and invoice records

Note: Payment processing is handled entirely by Stripe. When you start a free trial or subscribe, you are redirected to Stripe's hosted checkout page, where Stripe collects your payment method directly. We never receive, transmit, or store credit card numbers, CVVs, or bank account details on our servers. During a free trial, Stripe may collect a payment method for billing at the end of the trial period.

1.3 Usage Data

We automatically collect information about how you use our platform:

• Credential deliveries created
• Features accessed
• Pages visited
• Time spent on platform
• Actions performed (credential creation, retrieval, etc.)
• Dashboard interactions

1.4 Device Information

• Device identifier
• Browser type and version
• Operating system
• Screen resolution
• IP address
• Network information (ISP, approximate location)

1.5 Log Information

Our servers automatically record:

• IP addresses
• Browser details
• Request timestamps
• API calls made
• Error logs
• Performance metrics

1.6 Authentication Data

Authentication is managed by our provider, WorkOS. When you sign in via SSO or direct login, we may receive:

• User identifiers from identity providers (Okta, Azure AD, Google Workspace)
• Profile information (name, email) from your SSO provider
• Session tokens for maintaining your logged-in state

Note: We do not receive or store OAuth tokens, passwords, or raw authentication secrets. WorkOS handles all authentication flows, token management, and MFA verification directly.

1.7 Credential Data (Encrypted)

For the purpose of secure credential delivery:

• Encrypted credentials (passwords, access tokens, keys)
• Recipient information (employee name, email, phone)
• Delivery method preferences
• Retrieval timestamps
• Passphrase hashes (for zero-knowledge mode)

1.8 Audit and Compliance Data

• User actions (credential creation, modification, deletion)
• Access attempts and authentication logs
• Security events (failed logins, suspicious activity)
• Compliance-related metadata

1.9 Customer Support Communications

• Email correspondence
• Chat messages
• Support tickets
• Feedback and surveys

2.1 Providing Our Services

• Create and manage your account
• Deliver credentials securely to recipients
• Process payments and billing
• Provide customer support
• Send service-related communications (transactional emails)

2.2 Improving Our Services

• Analyze usage patterns to improve features
• Identify and fix bugs
• Optimize performance and user experience
• Develop new features based on user feedback

2.3 Security and Fraud Prevention

• Detect and prevent fraud
• Identify and prevent security threats
• Monitor for suspicious activity
• Enforce our Terms of Service and Fair Use Policy

2.4 Compliance and Legal Obligations

• Comply with applicable laws and regulations
• Respond to legal requests (subpoenas, court orders)
• Protect our legal rights
• Enforce our agreements

2.5 Marketing Communications

• Send product updates and newsletters (you can opt-out anytime)
• Promotional offers and announcements
• Educational content about secure credential management
• Event invitations and webinars

You can opt-out of marketing emails by clicking "unsubscribe" in any email or contacting [email protected].

2.6 Analytics and Research

• Understand how our platform is used
• Measure effectiveness of features
• Conduct market research
• Generate anonymized, aggregated statistics

4.1 Service Providers (Subprocessors)

We engage third-party companies to provide infrastructure and services. These providers have access to your information only to perform tasks on our behalf.

No third-party secret access. We deliver notifications, not secrets. Messaging providers (Twilio, SendGrid) receive routing metadata only. Credential content never leaves CredentialFlow's encrypted environment until single-use retrieval by the intended recipient.

4.2 Business Transfers

If CredentialFlow is involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will provide notice before your data is transferred and becomes subject to a different Privacy Policy.

4.3 Legal Requirements

We may disclose your information if required by law or if we believe such action is necessary to:

• Comply with legal process (subpoena, court order)
• Protect our rights and property
• Prevent fraud or security threats
• Protect the safety of users or the public

4.4 With Your Consent

We may share your information with third parties when you give us explicit consent to do so.

5.1 Active Accounts

• Account data: Retained while your account is active
• Usage logs: Retained for 1 year (Pro) or 7 years (Enterprise)
• Audit trails: Retained for 1 year (Pro) or 7 years (Enterprise)

5.2 Credential Data

• Active credentials: Retained until retrieved by recipient or TTL expires (default 24 hours; configurable from 5 minutes to 7 days depending on organization settings)
• Credential metadata: Retained for audit purposes (1-7 years based on plan)
• Encrypted credential content: Deleted after retrieval or TTL expiration

5.3 Employee PII (Automatic Purging)

To comply with data minimization principles:

• Employee names, emails, phone numbers are automatically purged 24 hours after credential delivery
• Anonymized audit records are retained (credential ID, timestamps, delivery status)
• No PII is retained beyond the 24-hour window unless required by law

5.4 Cancelled Accounts

• Account data: Retained for 30 days after cancellation (to allow reactivation)
• Data deletion: Permanently deleted after 30-day grace period
• Billing records: Retained for 7 years for tax/legal compliance
• Anonymized usage data: May be retained indefinitely for analytics

5.5 Data Deletion Requests

You can request immediate deletion of your data by contacting [email protected]. We will delete your data within 30 days, except where retention is required by law.

6.1 Encryption

• In transit: TLS 1.3 enforced for all connections. Older protocol versions are rejected at the network edge
• At rest: AES-256-GCM encryption for all stored data
• Credentials: Dual-control split-trust encryption using HKDF-SHA256 key derivation with AWS KMS-backed key management (FIPS 140-2 validated)
• Zero-knowledge mode: Optional client-side encryption using Argon2id key derivation with AES-256-GCM authenticated encryption. Keys never leave the browser
• Bring Your Own Key (BYOK): Customer-managed encryption keys via AWS KMS, Azure Key Vault, Google Cloud KMS, or HashiCorp Vault. Keys can be revoked at any time, cryptographically blocking all access
• Audit log integrity: All audit records are HMAC-SHA256 signed with a per-organization signature chain, making logs independently verifiable and tamper-evident

6.2 Access Controls

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) required for admin accounts
• Principle of least privilege
• Session management and timeout policies

6.3 Infrastructure Security

• SOC 2 Type II attested security controls
• Ongoing vulnerability scanning, patch management, and security reviews
• Intrusion detection and prevention systems
• AWS WAF and Application Load Balancer at the network perimeter
• Multi-layer rate limiting to prevent brute force and enumeration
• AWS GuardDuty for threat detection
• CloudWatch monitoring and alerting
• Controls aligned with ISO 27001 (certification on roadmap) and HIPAA technical safeguards

For detailed security documentation, visit our Trust Center.

6.4 Application Security

• SQL injection prevention (parameterized queries)
• Cross-site scripting (XSS) protection
• CSRF token validation
• Rate limiting and DDoS protection
• Input validation and sanitization
• Secure coding practices and code reviews

6.5 Data Breach Response

In the unlikely event of a data breach:

1. We will investigate and contain the breach within 24 hours
2. We will notify affected users within 72 hours (as required by GDPR)
3. We will notify relevant authorities as required by law
4. We will provide details about the breach and remediation steps
5. We will take all necessary measures to prevent future occurrences

7.1 Right to Access

You can request a copy of your personal data by contacting us. We will provide it in a structured, commonly used format within 30 days of your request.

7.2 Right to Correction

You can update or correct your personal information through your account settings or by contacting us.

7.3 Right to Deletion

You can request deletion of your personal data, subject to legal retention requirements.

7.4 Right to Restrict Processing

You can request that we limit how we use your personal data.

7.5 Right to Data Portability

You can request a copy of your data in a portable format and transfer it to another service.

7.6 Right to Object

You can object to our processing of your personal data for certain purposes (e.g., marketing).

7.7 Right to Withdraw Consent

Where we process your data based on consent, you can withdraw consent at any time.

Sale of Personal Information

We do NOT sell your personal information.

We have not sold personal information in the past 12 months.

CCPA Rights

• Right to know: What personal information we collect, use, and share
• Right to delete: Request deletion of your personal information
• Right to opt-out: Opt-out of the sale of personal information (not applicable as we don't sell)
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights