trust
the current security and privacy posture.
floo is owned and operated by floo labs Inc. This page gives companies the practical diligence facts: data handling, security controls, subprocessors, and the limits of what we claim today.
last updated: June 25, 2026
legal entity
floo labs Inc
privacy contact
privacy@getfloo.comsecurity contact
team@getfloo.comcontrols
how floo protects customer systems
runtime isolation
Customer workloads run as separate Cloud Run services with dedicated service accounts per app. floo currently runs in a shared Google Cloud project by default.
secret handling
Customer environment variables, managed-service credentials, webhook signing secrets, and shared passwords are encrypted at rest. Traffic to floo endpoints uses TLS.
access control
Platform access uses floo API keys or WorkOS sessions. Organization membership and key scope are both enforced before account or app data is returned.
managed auth
Managed auth uses browser-bound one-time state, one-time callback handoffs, and host-only managed session cookies. The gateway strips managed session cookies before proxying requests upstream.
auditability
Sensitive organization actions are written to the audit log. Removing a member invalidates their active sessions.
operational visibility
Public platform health is available at /status. Responsible disclosure reports go to team@getfloo.com and /.well-known/security.txt.
subprocessors
services that process customer data
floo uses these providers to operate the platform. We do not sell personal information, use advertising partners, or run third-party tracking analytics.
| provider | purpose | data handled |
|---|---|---|
| Google Cloud | cloud hosting, builds, managed databases, storage, logs, and metrics | source code, application data, deploy metadata, logs, metrics, managed-service data |
| GitHub | repository connection, source archive access, webhooks, and release metadata | repository metadata, source archives, commit metadata, pull request metadata |
| WorkOS | authentication and identity | names, email addresses, authentication events, session metadata |
| Stripe | payments, subscriptions, invoicing, and billing portal | billing contact details, subscription records, invoice metadata, payment metadata |
| Resend | transactional email delivery | email addresses, message content, delivery metadata |
| Sentry | error monitoring and production diagnostics | error events, stack traces, request metadata, diagnostic context |
| Upstash | Redis-backed callbacks, queues, route snapshots, and cache | temporary tokens, callback state, queue data, cache data, route metadata |
current limits
what we do not claim today
floo is in beta. The right trust posture is to be precise about what exists today and what belongs in an enterprise engagement.
- floo does not claim SOC 2 compliance today.
- floo does not advertise SAML or SCIM as generally available today.
- floo does not provide customer-managed encryption keys today.
- floo does not provide dedicated customer projects by default. Dedicated infrastructure is scoped case by case for enterprise engagements.
- floo does not run a public bug bounty today.