FlowCore AI conducts risk assessments at least once yearly and additionally as needed. The risk assessment produces a report that identifies and categorizes risks. This report is then reviewed with management and stakeholders, and the identified risks are recorded in a risk register. FlowCore AI carries out annual application business impact assessments to further reinforce the risk assessment process, which verifies the effectiveness of controls and security measures for essential systems.
FlowCore AI operates a vendor risk management program that encompasses routine monitoring and evaluation of suppliers' capacity to adhere to security and compliance standards. This program encompasses both business systems and technical assets used for service delivery.
FlowCore AI mandates that all employees use Single Sign-On to ensure secure access to essential business systems. In addition, staff members' access to the company’s digital assets is permitted only when MFA is enabled. Special care is given to protecting the IT equipment of staff members, and unsecured networks are strictly prohibited in daily operations and allowed only in testing scenarios. Regular IT equipment audits are performed, and corrective actions are taken immediately, if required, to keep staff IT equipment away from known security threats.
Upon joining FlowCore AI, new hires must attend security and privacy awareness training as part of their onboarding process. Additionally, we provide all employees with annual security and privacy awareness training. All staff members must attend regular (at least once a year) security training programs. The goal of each training is to keep the staff up to date with emerging security threats and best practices and refresh knowledge about security and privacy principles.
FlowCore AI leverages state-of-the-art SAST, DAST, and SCA tools to identify potential security weaknesses in our codebase and images. As part of our documented Vulnerability Management policy and procedures, any discoveries discovered are tracked in the defect management tool and assigned to appropriate owners for remediation based on risk and impact following our established guidelines.
FlowCore AI is committed to performing regular penetration tests using industry-grade tools, remediating all findings based on Risk Levels and SLAs. Periodic internal technical security assessments are conducted at least once a year or after a major release, and results are documented by following our vulnerability management process. Penetration testing to be performed by the client for any service as a result of our professional services is generally allowed. Its T&Cs are typically integral to our contracts, SoW, and acceptance criteria.
The company is committed to resolving actual or suspected security incidents against the company, our customers, and our affiliates with due diligence and deliberate speed. Any of our employees or contractors who have become aware of a suspected incident must immediately report it via the Incident Report Form. Employees or contractors shall not attempt to prove suspected security weaknesses. Testing weaknesses might be interpreted as a potential misuse of the system and could also cause damage to the information system or service and result in legal liability for the individual performing the testing. Staff must not disclose information relating to an incident to any third party involving the company or customer information without the explicit authorization of the company CEO or Legal team. All requests for information from clients or other third parties following or during an incident shall be referred to the company CEO, who will escalate the request as necessary.
Systems that contain sensitive, critical, or valuable company information generate logs that capture additions, modifications, and deletions to configure the information and sensitive transactions. System commands are traceable to specific individuals via the use of logs. Information security events are logged to identify exceptions to information technology policies. In the event of a security-related IT incident, the company Engineering team investigates for security violations. Access requests to customer data are logged. The logs receive reviews regularly. The company has the right, at any time, to inspect all data held on the company’s computer equipment and to inspect all email and other electronic data entering, leaving, or within the corporate network to ensure conformity with the following:
Traffic to/from the FlowCore AI’ clouds is end-to-end encrypted. This means that we enforce HTTPS traffic outside our VPCs, but also inside our VPCs. The cryptographic framework is as follows:
Data at rest, including database records and logs, are encrypted AES-256. A symmetric key is currently in usage.
The change management process is a formal process within FlowCore AI. The primary principle behind this process is to track all changes, incl. review, and approval steps. Any change is a subject of review before being moved into our development and staging environments for thorough testing. All changes are pushed to production on a sprint basis, and any pull request to the production branch triggers a complete set of tests, as per the Software Design and Development Lifecycle process.
FlowCore AI conducts frequent backups of our systems and data, including customer-related or business-critical information. Backup files are stored redundantly across multiple availability zones and are always encrypted. Access to backups is limited according to the principle of least privilege.
FlowCore AI operates a documented Business Continuity and Disaster Recovery (BCDR) program, which undergoes reviews, tests, and updates at least once a year or on a need basis. Our RPO is 6 hours, while our RTO is 2 hours for services with a high level of criticality and 4 hours for the remaining services.