Security Overview

01Overview

FailSafe is a SaaS platform that connects to Microsoft 365 and Google Workspace tenants using read only API access. We use that access to discover unsanctioned tools, third party app permissions, identity risks, and license assignments, then surface the findings in the portal and in a PDF report.

Because the data we look at is sensitive, we have designed FailSafe to read the minimum necessary, store it under tenancy isolation, encrypt it at rest and in transit, and let you revoke access at any time.

02Hosting and Data Residency

FailSafe runs on Railway, a US based cloud platform that provides our application hosting and managed PostgreSQL database. All production infrastructure is located in the United States.

• Application servers. Containerized FastAPI service on Railway, US region.
• Database. Managed PostgreSQL on Railway, US region.
• File storage. Persistent volume mounted in the application container, holding PDF reports and scan output.
• Marketing site. Static site on Netlify, served from US edge locations.
• Backups. Daily managed snapshots of the PostgreSQL database, retained by Railway, encrypted at rest.

We do not replicate customer data to regions outside the United States. If you operate from outside the US and access the service, your data will be transferred to and processed in the United States as described in our Privacy Policy.

03Encryption

In transit

Every customer connection to portal.optiflowlabs.ai, optiflowlabs.ai, and the FailSafe API runs over TLS 1.2 or higher. HSTS is enabled. Internal connections between the application and the managed PostgreSQL database also use TLS.

At rest

• Database. AES 256 encryption at rest provided by the Railway managed PostgreSQL service.
• Persistent volume. Encrypted at rest by the underlying Railway storage provider.
• OAuth tokens, service account keys, and other sensitive secrets. Encrypted at the application layer using symmetric encryption with keys held in Railway secret storage, before being written to the database. Decryption happens only inside the application process during a scan.

04Authentication and Access Controls

Customer authentication

• Email and password sign in with NIST aligned password requirements.
• Multi factor authentication available on every customer account.
• Email verification required before first sign in.
• Authentication endpoints rate limited to prevent brute force and credential stuffing.
• Session tokens scoped to the customer account, revoked on sign out and on account deletion.

Role based access in the portal

FailSafe has three roles: client (the customer business viewing its own engagement), admin (internal OptiFlow Labs staff), and partner (managed service provider managing client engagements on behalf of an SMB). Every customer facing API endpoint runs an engagement access check before returning data, scoped to the actor's role and to the engagement they are permitted to see.

Account deletion

Customers can request account deletion from the portal. Deletion runs as a soft delete first (data marked for removal, Stripe subscription cancelled), then a nightly job at 04:00 UTC hard deletes the underlying records and report files. Audit log entries are retained for the period described in section 07.

05Internal Access at OptiFlow Labs

OptiFlow Labs operates as a small team. Production access is limited accordingly.

• Production database and infrastructure access is restricted to the founder. New team members will be added under named accounts with role scoped permissions when the team grows.
• Administrative actions inside the portal are recorded in an append only audit log. Audit log records are protected by PostgreSQL row triggers that prevent updates entirely and prevent deletes within a 30 day floor.
• Internal access to customer data occurs only when investigating a support ticket you have raised, responding to a billing question, or investigating a security incident affecting your engagement. Read only data inspection for incident response is logged.
• We do not browse customer engagement data for sales, marketing, training, or research purposes.

06Tenancy Isolation

FailSafe is multi tenant by design with logical isolation between customer engagements.

• Every customer record is scoped to an engagement, and every engagement is scoped to either a direct customer account or a channel partner account.
• Every customer facing API endpoint applies a tenancy filter before returning data, parameterized by the authenticated actor's role and the engagement identifier in the request.
• Cross tenant access is prevented at the query layer rather than relying on application logic alone.
• An insecure direct object reference (IDOR) sweep was completed across all engagement scoped routes on May 11, 2026, with zero findings.

07Data Retention and Deletion

• Account data. Retained for the duration of your subscription, plus up to 90 days after termination for billing and audit purposes.
• Engagement and scan data. Retained while the engagement is active and for up to 12 months after completion, unless you request earlier deletion.
• Audit logs. Retained for 24 months. Protected by PostgreSQL row triggers that prevent updates and prevent deletes within a 30 day floor, providing an immutable evidentiary base.
• Aggregated and anonymized data. Data that cannot reasonably be used to identify you may be retained indefinitely for benchmarking and product improvement.

You can request early deletion of your engagement or account at any time by emailing privacy@optiflowlabs.ai. The full Privacy Policy is at optiflowlabs.ai/privacy.

08Service Providers

The following service providers handle data on our behalf in support of the FailSafe platform. Each is contractually bound to use the data only for the services they provide to us, and each is hosted in the United States.

• Railway, Inc. Application hosting and managed PostgreSQL database.
• Stripe, Inc. Payment processing for direct and annual subscriptions. We do not store card numbers; Stripe holds payment details directly.
• Postmark (Wildbit, LLC). Transactional email delivery for verification, scan complete notifications, account changes, and billing notices.
• SendGrid (Twilio, Inc.). Weekly digest email delivery to customers who have opted in.
• Anthropic, PBC. AI vendor enrichment via the Claude API. Sends vendor names and public catalog metadata only. No customer PII, mailbox content, or engagement records are sent. Anthropic does not train on data sent through its API.
• Netlify, Inc. Hosting for the marketing site at optiflowlabs.ai. Handles no customer engagement data.
• UptimeRobot. External availability monitoring of the portal and API. Sees response codes and latency only, no customer data.

Microsoft and Google APIs (Microsoft Graph and the Google Admin SDK and Gmail API) are not service providers to OptiFlow Labs. They are the customer's own tenant systems, accessed under credentials the customer authorized. We pull data from those systems on the customer's behalf and persist it in our database as described above.

09Incident Response

We treat any unauthorized access to customer data, loss of integrity of customer data, or material service outage as a security incident.

• Detection. UptimeRobot monitors portal and API availability continuously. Application errors are surfaced through Railway logs and reviewed daily.
• Containment. On a suspected incident, the affected service is isolated, credentials are rotated if relevant, and the underlying cause is investigated using the audit log.
• Customer notification. Customers affected by a confirmed security incident involving their data will be notified by email at the administrative contact on file. We target notification within 72 hours of confirmation, in line with common regulatory timelines.
• Postmortem. Material incidents are documented internally, with corrective actions tracked through to completion.

Security reports and vulnerability disclosures are welcome at security@optiflowlabs.ai.

10Vulnerability Management

• Dependency audits. A CI workflow runs on every push to main, scanning dependencies for known vulnerabilities and failing the build on high severity findings.
• Code review. Changes to authentication, authorization, and tenancy filtering code paths are reviewed before merge.
• Hardening completed in 2026. Server side rate limits on authentication and reset endpoints. Content Security Policy headers in production. Strict same site cookie settings. SSRF protections on the PDF rendering pipeline. Prompt injection hardening on AI vendor enrichment. Engagement scoped IDOR sweep completed across all customer facing routes.
• Secrets management. Application secrets are held in Railway environment variables and never committed to the source repository.

11Compliance Roadmap

FailSafe is not currently SOC 2 attested. We operate today with controls aligned to the SOC 2 trust services criteria, and our intent is to pursue SOC 2 Type 1 in 2027 once the customer base supports the audit and tooling investment.

The frameworks that customers most often map us against, and that we map our own reports to:

• NIST Cybersecurity Framework (CSF)
• CIS Controls v8
• SOC 2 (Security, Availability, Confidentiality criteria)
• ISO 27001:2025

Customers running FailSafe receive a posture report mapped to these frameworks. The mapping is part of every engagement deliverable.

12What We Do Not Have Yet

We are an early stage platform. We list the gaps openly because pretending otherwise is worse than naming them.

• SOC 2 attestation. Not yet. Targeting Type 1 in 2027.
• Third party penetration test report. Not yet. Internal hardening and an IDOR sweep have been completed; an external test is planned ahead of the SOC 2 audit.
• Formal bug bounty program. Not yet. Responsible disclosure is welcomed at the contact address below in the meantime.
• Published disaster recovery runbook. Backups exist and are managed by Railway. A documented recovery drill and runbook are on the roadmap.
• Error aggregation through Sentry or equivalent. Not yet. Errors are reviewed from Railway application logs today.

13Contact

If you have questions about this Security Overview, need a vendor security questionnaire completed, or want to report a vulnerability, please contact us: