Get started

Security

Security at Flagify

Feature flags sit in the critical path of your application. We treat that responsibility seriously.

Last updated: March 28, 2026

Data protection

How we protect your data

Encryption in transit

All communication between your applications, the Flagify SDKs, and our servers is encrypted with TLS 1.2 or higher. API endpoints enforce HTTPS — plaintext HTTP requests are rejected.

Encryption at rest

All stored data, including flag configurations, audit logs, and account information, is encrypted at rest using AES-256. Database backups are encrypted with the same standard.

API key isolation

Each environment (development, staging, production) uses independent API keys. Server-side and client-side keys are separated — client-side keys can only evaluate flags, never modify them.

Local evaluation

Flagify SDKs evaluate flags locally after an initial sync. Your user context data stays in your application and is never sent to our servers during evaluation. Only flag configuration data is transmitted.

Infrastructure

Platform security

Cloud infrastructure

Flagify runs on SOC 2 Type II certified cloud infrastructure with redundancy across multiple availability zones. We use isolated VPCs, firewalled subnets, and principle-of-least-privilege access controls.

Access controls

Internal access to production systems requires multi-factor authentication, VPN, and role-based access. Access is logged and reviewed regularly. No single individual has unilateral access to production data.

Dependency management

We use automated vulnerability scanning on all dependencies. Critical vulnerabilities are patched within 24 hours. Our SDKs are intentionally minimal, with zero or near-zero runtime dependencies.

Audit logging

Every flag change, permission update, environment modification, and API key rotation is recorded in an immutable audit log. Logs include who made the change, when, and what was modified.

Responsible disclosure

Report a vulnerability

If you discover a security vulnerability in the Flagify platform or any of our open source SDKs, we want to hear from you. We appreciate responsible disclosure and will work with you to resolve the issue promptly.

Email [email protected]
Response time Within 48 hours
Scope Platform, APIs, SDKs, website

Guidelines

  • Provide a clear description of the vulnerability and steps to reproduce
  • Give us reasonable time to address the issue before public disclosure
  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service testing against our production systems

Compliance

Standards and certifications

Flagify is building toward SOC 2 Type II certification. We follow industry-standard security practices aligned with SOC 2 Trust Service Criteria and OWASP guidelines. Enterprise customers can request our security questionnaire and detailed documentation.

SOC 2 Type II In progress
GDPR compliant Active
TLS 1.2+ enforced Active
AES-256 encryption Active

Security questions?

For security inquiries, vulnerability reports, or to request our security documentation, contact our team.

Contact security team General contact