Security at ThinkFlow AI
A Product of AppOrigin Inc.
We take the security of your data, designs, and payment information seriously. Here is how we protect you.
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS across all endpoints and use HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks and cookie hijacking.
Encryption at Rest
All user data stored in our database is encrypted at rest using AES-256 encryption. Database backups are also encrypted and stored in geographically distributed locations with restricted access.
Payment Security
We never store credit card numbers, CVV codes, or full card data. All payments are processed by Stripe, which holds PCI DSS Level 1 certification — the highest level of payment security. We store only a Stripe customer ID for billing reference.
Access Controls
We implement strict role-based access controls (RBAC). Your designs and projects are private by default and only accessible to you. Sharing a design requires an explicit action from you, generating a unique token-based URL.
Infrastructure Security
Our infrastructure runs on enterprise-grade cloud providers with SOC 2 Type II certification. We use automated vulnerability scanning, dependency auditing via Dependabot, and regular security reviews of all production systems.
Authentication & Sessions
We use secure OAuth 2.0 authentication with signed JWT session tokens (HS256). Sessions are invalidated on logout and expire automatically after periods of inactivity. We do not store passwords — authentication is delegated to our OAuth provider.
API Security
All API endpoints are protected with authentication middleware. Rate limiting is enforced on all public and authenticated endpoints to prevent abuse. Input validation and parameterized queries prevent SQL injection and XSS attacks.
AI Prompt Safety
User prompts are processed server-side only — your API keys are never exposed to the client. We implement content filtering to prevent misuse of our AI generation capabilities and log all generation requests for abuse detection.
Our Security Practices
Security is built into every layer of our development and operations process.
- Regular security audits and penetration testing by third-party firms
- Automated dependency vulnerability scanning on every commit
- Secure Software Development Lifecycle (SSDLC) enforced across all code changes
- Employee security training and quarterly access reviews
- Documented incident response plan with defined SLAs (48-hour response)
- GDPR and CCPA compliance measures for user data rights
- Data minimization — we only collect what is necessary to provide the Service
- Regular encrypted backups with tested restore procedures
- Principle of least privilege for all internal system access
- Separate production and development environments with no shared credentials
Responsible Disclosure Policy
If you discover a security vulnerability in ThinkFlow AI, we encourage you to report it to us responsibly. We take all reports seriously and commit to:
- Acknowledge your report within 48 hours
- Provide a timeline for remediation within 7 days
- Credit you publicly (with your permission) after the fix
- Not pursue legal action for good-faith disclosures
Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them (typically 90 days).
[email protected] →Security Contact
For security concerns, vulnerability reports, or data breach notifications, contact us directly:
Email: [email protected]
Phone: +1 732-798-0333
For urgent security incidents, please call directly. Email reports are monitored during business hours (9am–6pm ET, Mon–Fri).
Compliance & Standards