Security at fluex isn't a checklist bolted on at the end. These four principles are wired into every code path, every deploy, every customer integration.
TLS 1.3 in transit. AES-256-GCM at rest. Per-tenant data encryption keys managed in Google Cloud KMS, rotated automatically, never co-located with the data they protect. Customer-managed keys (CMEK) available on Enterprise.
Every API request is scoped to a single tenant at the database layer. No shared compute, no cross-tenant queries, no global indexes. Enterprise customers can opt into dedicated infrastructure isolation and a single-tenant VPC deployment.
Role-based access control. MFA required for every employee account. Production access follows a dual-approval workflow with time-bound permissions and audit logging. Engineer access to customer document content requires a documented business reason and reviewer approval.
Every extraction, every review, every export — logged with timestamp, requestor identity, model version, prompt and response. Audit metadata is immutable and exportable, ready for SOX, GDPR, CCPA or external auditor review.
We're explicit about every stage. No surprise retention, no opaque storage. Defaults are conservative; everything is configurable per contract.
TLS 1.3 from your endpoint to our API. Document bytes are never persisted in access logs. Request metadata is logged without document content.
Extraction runs in-memory only during inference. No document data crosses tenant boundaries. Sub-processor LLM calls are configurable per tenant — including no-LLM workflows.
Documents and extraction results are encrypted at rest with per-tenant keys. Retention is configurable per workflow: default 90 days, can be set to zero (no retention beyond the request).
Hard deletion at retention expiry. A 30-day soft-delete window protects against accidental loss; on request, we hard-delete immediately. Audit metadata is retained per your contract.
Audit metadata (request, response, model version, reviewer, timestamps) is queryable via API and exportable as JSON-Lines or CSV. Default audit retention: 7 years.
As a processor, fluex routes data subject requests (access, deletion, portability under GDPR or CCPA) to the controller — you. We provide tooling and a 30-day SLA for fulfillment.
We're transparent about where we are on each framework. Where an audit is in progress, we say so. Where it isn't, we say that too. Trust packets — including DPA, security questionnaire responses, and current audit reports — are available on request.
fluex acts as a data processor under GDPR Art. 28. Our standard Data Processing Addendum incorporates the EU Standard Contractual Clauses for transfers outside the EEA, and binds every sub-processor to equivalent terms. Sign the DPA at legal@fluex.com.
fluex is a service provider under CCPA §1798.140(ag). We do not sell or share personal information. Data subject requests (right to know, delete, correct, opt out of sharing) are routed to the controller; our SLA is 30 days from receipt.
Our Type II audit is currently underway. Target report date, audit progress, and our current Type I report are available under NDA — email security@fluex.com.
Business Associate Agreements are available on Enterprise contracts. PHI handling is configurable per workflow — including no-retention modes and PHI-aware redaction in audit metadata.
We list every sub-processor that handles customer data, what they do, and where they operate. Customers receive at least 30 days' notice before any addition or change, with the right to object under the DPA.
| Vendor | Purpose | Region | Data accessed |
|---|---|---|---|
| Google Cloud Platform | Compute, storage, networking, KMS | USA | Documents, extractions, audit metadata |
| OpenAI | LLM inference (configurable per tenant) | USA | Document content during inference; zero-retention API |
| Anthropic | LLM inference (configurable per tenant) | USA | Document content during inference; zero-retention API |
| New Relic | Observability (logs, metrics, traces, APM) | USA | Operational telemetry only — document bodies are scrubbed before egress |
| Twilio | Transactional SMS, WhatsApp and email notifications | USA | Recipient phone / email + transactional message content; never customer documents |
| Fingerprint | Device fingerprinting for fraud detection & KYC | USA | Browser / device fingerprint metadata; never document content |
| Cloudflare | Edge, WAF, DDoS mitigation | Global edge | Request metadata only; document bodies bypass edge cache |
Subscribe to sub-processor change notifications to receive updates 30 days before any change.
We respect security researchers and respond to good-faith reports within one business day. We commit to working transparently with reporters and crediting their work.
*.fluex.ai subdomainsMost enterprise security questionnaires take us under one business day. Sub-processor notification subscriptions, DPAs, current SOC 2 status and our pen-test summary are all available on request — no NDA gate for the high-level docs.