Security you can count on
NexoFlow is built with security as a foundation, not an afterthought. Here's how we protect your data and your team's access.
Encryption at rest and in transit
All data is encrypted at rest using AES-256. All traffic is encrypted in transit over TLS 1.2+. Credentials and OAuth tokens are encrypted before storage.
OAuth-based channel connections
Channel connections use OAuth 2.0. NexoFlow never stores your social media passwords. Access tokens are scoped to the minimum permissions required and are revocable at any time.
Webhook payload signing
All webhook deliveries are signed with HMAC-SHA256. Verify the signature on your server to ensure payloads originate from NexoFlow.
Role-based access control
Organization members access only what their role permits. Admins manage billing and org settings; Members can only access their own projects and the shared channel queue.
API key scoping
Content API keys are scoped to read-only operations by default. Keys can be rotated or revoked from the dashboard at any time.
Regular security reviews
We conduct regular internal security reviews and promptly patch disclosed vulnerabilities. Dependency updates are applied on a rolling basis.
Responsible disclosure
If you discover a security vulnerability in NexoFlow, please report it responsibly. We'll acknowledge your report within 24 hours, investigate promptly, and credit you (if desired) once the issue is resolved.
Please do not publicly disclose security issues before we've had a chance to investigate and patch them.
Report a vulnerability