Security

Last Updated: 18th April 2026

Back to Home

Flosona is used by service businesses to manage scheduling, customers, invoices, and payments. Protecting the data you and your customers trust us with is a priority for us. This page describes the controls we have in place.

1. Data encryption

  • All traffic between your device and our servers is encrypted using HTTPS.
  • Databases and uploaded files are stored on encrypted volumes.
  • Sensitive account data is further encrypted at the application layer before it reaches disk.
  • On the Flosona mobile app, session data is stored in the operating system's secure storage (iOS Keychain or Android Keystore).

2. Account protection

  • Passwords are hashed and salted. We never store them in plain text and we cannot view them.
  • Sessions expire automatically after a period of inactivity.
  • Sensitive actions such as login, password reset, and email verification are rate limited to prevent abuse.
  • Repeated failed logins trigger a temporary lockout on the affected account.
  • Suspicious activity is logged for review.

3. Payments

  • Card payments are processed by Stripe, which is certified as a PCI Service Provider Level 1.
  • Card numbers and security codes are entered inside the payment provider's hosted fields. They do not pass through Flosona and we do not store them.
  • Webhooks from payment providers are verified using a signed secret before we act on them.
  • Payouts from Stripe Connect go directly to the business owner's bank account. Flosona does not hold customer funds.

4. Organization and team isolation

  • Every business on Flosona has its own workspace. Data from one workspace is not visible to another.
  • Inside a workspace, role based permissions limit what each team member can see and do.
  • Public booking links and shared invoice links use signed, short lived tokens so they cannot be guessed or tampered with.

5. Backups and recovery

  • Databases are backed up automatically before production deployments and on a regular rolling schedule.
  • Backups are encrypted and retained long enough to restore from a recent point if needed.
  • Restore procedures are tested so that backups are actually usable, not only present.

6. Application and infrastructure hygiene

  • Production services run under a supervisor that restarts them on failure and enforces memory limits.
  • Dependencies are kept up to date and monitored for security advisories.
  • Input from the browser and the API is validated on the server before it is used or stored.
  • Uploaded files are checked by type and size, stored outside the public web root, and served through the application so access controls apply on every download.
  • Access tokens for connected third party services (email, calendar, video conferencing) are stored in encrypted form.

7. Incident response

If we become aware of a security incident that affects your data, we will notify you without undue delay and explain what happened, which data was affected, and what we are doing about it. Our response follows the notification timelines required by applicable law, including Article 33 of the GDPR where it applies. See our Privacy Policy for more detail on how we handle personal data.

8. Reporting a vulnerability

If you believe you have found a security issue in Flosona, please email security@flosona.com with enough detail to reproduce it. We will acknowledge your report within three business days and keep you updated while we investigate. We ask that you avoid public disclosure until we have had a reasonable chance to fix the issue.

9. What you can do

Security works best when we both do our part. We recommend that you:

  • Use a strong, unique password for your Flosona account.
  • Keep your login details private and only invite team members you trust.
  • Review your team list and their permissions from time to time.
  • Keep your browser and mobile operating system up to date.
  • Report anything that looks suspicious to us immediately.

10. Questions

For security questions, vendor security questionnaires, or enterprise procurement requests, contact us at security@flosona.com. See also our GDPR / Data Rights and Cookie Policy pages.