Encrypted everywhere.
TLS 1.3 in transit (enforced at the reverse proxy; legacy TLS versions disabled), AES-256 at rest. HSTS preloaded.
Security
Your clients trust you with their social accounts. You trust us with theirs. Here's what that actually looks like in the codebase.
TLS 1.3 in transit (enforced at the reverse proxy; legacy TLS versions disabled), AES-256 at rest. HSTS preloaded.
HttpOnly cookies, CSRF tokens on every state change, per-email rate limiting on login, HMAC-signed client portal sessions.
Every row carries its org ID as a foreign key. Every query filters by session org. No shared global tables, no leakage vectors.
Every inbound webhook is authenticated with HMAC-SHA256 signatures. Invalid signatures are rejected before any handler runs.
Strict-Transport-Security, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy, and a scoped Content-Security-Policy.
Every mutation writes an audit log entry (actor, action, resource, timestamp) — retained indefinitely per org.
Custom audience uploads for Paid Media (emails) are SHA-256 hashed client-side via the Web Crypto API before transmission. Raw PII never reaches our server or the ad platform in cleartext. Ad spend debits your client's own ad account — OMMFlow never handles ad-spend funds.
Automated security audit
Our continuously-run security audit scored 95 out of 100 across 82 tests covering SSL, headers, API authentication, webhook integrity, error handling, and performance. The suite runs on every deploy so regressions surface immediately.
SSL / TLS
10 / 10
Headers
14 / 14
Authentication
19 / 20
API protection
20 / 20
Webhooks
10 / 10
Error handling
5 / 5
Performance
4 / 4
Tests passing
82 / 83
Proactive disclosure within 72 hours of confirming any breach affecting your data, with specifics about what was exposed and what we're doing about it. No PR filter. No "limited technical issue" euphemisms.
Found something? Disclose responsibly to security@omm-flow.com.