Start with the trust boundary
Changes involving authentication, secrets, customer data, integrations, or workflow execution are treated as security-sensitive work.
Security at VallumFlow
VallumFlow can process source code, findings, credentials, files, and activity from connected systems. We treat that access as sensitive and make security part of product design, engineering, and day-to-day operations.
Our security posture
Security decisions are made around the full path data takes through VallumFlow: when it arrives, while a workflow uses it, when a result is stored, and when someone returns to review it.
People, services, and workflow workers receive scoped access so one identity or task does not automatically gain reach across the platform.
Credentials belong in Vault and authorized secret paths, not ordinary workflow fields or logs.
Authentication, permissions, service trust, file handling, network access, and worker boundaries are covered by focused automated tests.
Security-relevant actions, job state, and service activity leave records that can support review and investigation.
Operational signals and credential alerts help surface failures and access risks that need attention.
How we work
The same security questions follow a change from design through operation: what it can access, how it can fail, what evidence it leaves, and how it can be contained.
Changes involving authentication, secrets, customer data, integrations, or workflow execution are treated as security-sensitive work.
Tests cover expected access as well as denied access, stale credentials, unsafe paths, changed request bodies, and other failure cases.
Health signals, bounded logs, audit events, and credential warnings provide a record when something needs attention.
Customer data
VallumFlow processes customer content when a configured workflow or platform action requires it. We do not sell personal data.
Source code, reports, findings, files, and workflow inputs are handled when the customer configures VallumFlow to use them.
Connected credentials are kept separate from ordinary workflow configuration and supplied only where the workflow needs them.
Usage, diagnostic, security, and audit records support operation, investigation, and customer review.
How long information is kept depends on the record type, account settings, and the applicable customer agreement.
Security review
Security and data-handling questions are answered from the current, documented controls that apply to the customer use case.
For a security review or to report a suspected vulnerability, email [email protected] with the affected area and enough detail for us to investigate. Please do not include live credentials or unnecessary customer data.
Security FAQ
VallumFlow is designed to protect the account details, source code, findings, reports, files, workflow inputs, credentials, and service records it processes. The information involved depends on the workflows and integrations a customer configures.
Access is limited by role and operational need. People, services, and workflow workers receive scoped access, credentials are kept separate from ordinary workflow data, and security-relevant activity leaves records for review.
Service health signals, request and job records, audit events, and credential warnings provide evidence for investigation. The signals used depend on the affected service and activity.
We investigate the scope, contain affected access or services, preserve the records needed for review, and address the underlying cause. When an issue affects customers, we provide relevant updates based on its impact and applicable agreements.
Yes. Send the systems you plan to connect, the data involved, and your security questions to [email protected].
Email [email protected] with reproduction steps, affected URLs or components, and the likely impact. Do not send passwords, access tokens, or unrelated customer data.