Security Policy

Flinque Security Policy

The short version, for your security review

Flinque takes security seriously because our customers trust us with their campaign data, team access, and creator research. This policy describes our security program: how we protect infrastructure, applications, data, identity, and operations across every layer of the platform.

The headline points: encryption in transit and at rest, least-privilege access with multi-factor authentication, 24/7 monitoring, vulnerability scanning on every deploy, periodic penetration testing, and a documented incident response program with defined breach notification timelines.

For data handling specifics, see our Data Privacy Policy. For security concerns, use the contact page or Report an Issue.

1. Purpose and Scope
2. Our Security Program
3. Organizational Security
4. Infrastructure Security
5. Application Security
6. Data Security
7. Identity and Access Management
8. Network Security
9. Endpoint Security
10. Vulnerability Management
11. Penetration Testing
12. Third-Party Risk Management
13. Incident Response
14. Business Continuity
15. Compliance and Certifications
16. Responsible Disclosure

1. Purpose and Scope

This Security Policy describes how Flinque protects the confidentiality, integrity, and availability of data across the influencer marketing platform, including flinque.com, platform.flinque.com, api.flinque.com, and supporting internal systems.

This policy complements and should be read alongside:

• Our Privacy Policy, covering personal data handling principles
• Our Data Privacy Policy, covering technical data handling details
• Our Data Processing Agreement, the contractual framework for data processing
• Our Data Retention Policy, covering retention schedules

Where this policy provides specifics about security controls, use those details. For procurement questions that require additional documentation (security questionnaires, audit reports, TOMs annex), contact us through our contact page.

2. Our Security Program

Flinque operates a documented information security program aligned with industry frameworks including ISO 27001, SOC 2 Trust Services Criteria, NIST Cybersecurity Framework, and OWASP application security guidance.

Our security program covers the following domains:

• Governance, risk, and compliance
• Organizational and personnel security
• Infrastructure and cloud security
• Application security and secure development
• Data protection and cryptography
• Identity and access management
• Network and endpoint security
• Vulnerability and patch management
• Third-party risk management
• Incident detection and response
• Business continuity and disaster recovery
• Security awareness and training

Each domain has documented policies, defined control objectives, assigned ownership, and scheduled reviews.

3. Organizational Security

Security is the responsibility of every Flinque team member, supported by dedicated leadership and documented processes.

3.1 Security leadership

Security strategy is set at the executive level with a designated security owner who reports directly to the leadership team. The security owner is responsible for the security program, incident response, audit coordination, and compliance posture.

3.2 Personnel security

• Background checks are performed for all new hires where legally permitted
• All team members sign confidentiality agreements before being granted access to sensitive systems
• Access is provisioned based on role and tied to our identity system
• Off-boarding procedures revoke access within hours of a team member leaving
• Contractors and third-party consultants are subject to the same access controls as employees

3.3 Security awareness and training

• Mandatory security training during onboarding for all new team members
• Annual refresher training covering current threats and safe practices
• Targeted training for engineering team members covering secure coding and OWASP Top 10
• Phishing simulation exercises to reinforce awareness
• Security bulletins shared internally when new threats emerge

3.4 Acceptable use

Team members follow an internal acceptable use policy covering device use, credential management, data handling, and reporting of suspected incidents. Violations are handled per our internal disciplinary procedures.

4. Infrastructure Security

Flinque runs on cloud infrastructure from leading providers who themselves maintain SOC 2 Type II, ISO 27001, and other relevant certifications.

4.1 Hosting environment

• Production workloads run in hardened virtual private clouds with strict network segmentation
• Separate environments for production, staging, and development with no direct data flow from lower to higher environments
• Multi-region architecture for redundancy and disaster recovery
• Infrastructure as Code with version-controlled configuration
• Immutable infrastructure deployments with no ad-hoc production changes

4.2 Physical security

Physical security of data centers is managed by our cloud providers, who operate SOC 2 certified facilities with 24/7 physical monitoring, biometric access control, surveillance, and environmental controls. Flinque team members have no physical access to data center equipment.

4.3 Infrastructure change management

All infrastructure changes follow a documented change-management process with peer review, automated testing, staged rollout, and rollback capability. Emergency changes follow an expedited process with post-change review.

5. Application Security

Security is built into our software development life cycle rather than bolted on at the end.

5.1 Secure development life cycle

• Threat modeling for new features that handle sensitive data or introduce new attack surface
• Mandatory peer code review before merge
• Automated static application security testing (SAST) on every pull request
• Automated software composition analysis (SCA) for third-party dependencies
• Automated dynamic application security testing (DAST) on staging environments
• Container and infrastructure scanning before deployment
• Secrets scanning to prevent credentials from being committed to source control

5.2 OWASP alignment

We develop with reference to the OWASP Top 10 application security risks and the OWASP Application Security Verification Standard. Mitigations cover injection attacks, broken authentication, sensitive data exposure, broken access controls, security misconfigurations, and the other categories in the current OWASP Top 10.

5.3 API security

Our Developer API is protected by:

• Authentication using rotating tokens scoped to specific accounts and permissions
• Rate limiting per account and per endpoint to prevent abuse
• Request signature validation for sensitive operations
• Input validation and strict schema enforcement
• Structured logging of all API activity for audit and investigation

5.4 Release and deployment

Deployments are automated through a continuous integration and delivery pipeline with mandatory security checks at each stage. Production deployments require passing tests, clean vulnerability scans, and peer approval. All deployments are logged and reversible.

6. Data Security

Data protection controls are detailed in our Data Privacy Policy. Key summary points:

6.1 Encryption

• In transit: TLS 1.2 or higher for all traffic; HSTS enforced; HTTP automatically redirected to HTTPS
• At rest: AES-256 encryption for databases, backups, and object storage
• Keys: managed in a dedicated secrets management system with rotation and audit logging
• Passwords: hashed using adaptive algorithms (bcrypt or equivalent) with per-user salt
• Webhooks: payloads signed with HMAC-SHA256 signatures

6.2 Data classification

Data is classified based on sensitivity and handled according to its classification. Customer data, authentication credentials, and billing data receive the strongest protections. Public data such as blog content is not subject to confidentiality controls.

6.3 Backups

Production databases are backed up on a rolling schedule with backups encrypted at rest using separate key material. Backups are retained for 35 days. Backup integrity is tested through scheduled restore drills.

6.4 Data disposal

Decommissioned storage media is securely erased or physically destroyed by our cloud providers per their certified destruction processes. Customer data is purged per the schedules in our Data Retention Policy.

7. Identity and Access Management

7.1 Customer identity

• Password complexity requirements enforced at account creation
• Multi-factor authentication available on all plans
• SSO with SAML 2.0 available for Enterprise customers
• Session timeout after periods of inactivity
• Lockout after repeated failed authentication attempts
• Account recovery through email verification with additional safeguards for high-risk scenarios

7.2 Internal identity

• Single sign-on with enforced multi-factor authentication for all internal systems
• Role-based access control with least-privilege defaults
• Just-in-time elevation for privileged access with ticketed approval
• Quarterly access reviews to remove unused or over-privileged accounts
• Dedicated service accounts for automated workloads with rotated credentials

7.3 Audit logging

Authentication events, privileged actions, and data access are logged with timestamps and user identity. Logs are sent to a centralized log management system with integrity protections and retained per our retention schedules.

8. Network Security

• Segmentation: production, staging, and administrative networks are isolated with restricted traffic flows
• Firewalls: default-deny firewall rules with explicit allow-lists for required traffic
• DDoS protection: edge-level DDoS mitigation on public endpoints
• Web application firewall: protects against common web application attacks
• Bot management: detection and mitigation of scraping and automated abuse
• VPN and bastion access: administrative access to production requires VPN with MFA
• TLS inspection: outbound traffic from production inspected for anomalies
• Intrusion detection: continuous monitoring for suspicious traffic patterns

Network configurations are reviewed regularly and after any material change.

9. Endpoint Security

Team member laptops and workstations are managed and protected to reduce the risk of endpoint compromise leading to data exposure.

• Full-disk encryption enforced on all team devices
• Endpoint detection and response (EDR) software running on all devices
• Centrally managed device configurations with enforced security baselines
• Automatic patching of operating systems and applications
• Prohibited software enforcement
• Screen lock with short inactivity timeout
• Remote wipe capability for lost or stolen devices
• Separation of personal and work activity where BYOD is permitted

Team members report lost or stolen devices immediately so that remote wipe and access revocation can be initiated.

10. Vulnerability Management

Vulnerabilities are identified, prioritized, and remediated on a defined schedule based on severity.

10.1 Vulnerability sources

• Automated vulnerability scans of infrastructure, containers, and dependencies
• SAST, DAST, and SCA integrated into the development pipeline
• External penetration testing by qualified assessors
• Responsible disclosure reports from external researchers
• Vendor advisories and threat intelligence feeds

10.2 Remediation timelines

Target remediation timelines based on Common Vulnerability Scoring System (CVSS) severity:

Compensating controls are applied during the remediation window where practical. Actively exploited vulnerabilities are prioritized for expedited handling regardless of CVSS score.

11. Penetration Testing

External penetration tests are conducted by independent qualified firms at least annually and after significant architectural changes.

Scope of testing typically includes:

• Web application testing of flinque.com and platform.flinque.com
• API penetration testing of api.flinque.com
• Infrastructure and network-level testing of production environment
• Authentication and session management
• Access control and privilege escalation
• Business logic and data exposure

Findings are tracked, prioritized per the severity matrix in Section 10, and remediated. Retests verify that fixes are effective.

Enterprise customers may request a summary of recent penetration test results through their Customer Success Manager, subject to confidentiality arrangements.

12. Third-Party Risk Management

Vendors who process customer data or touch production systems are subject to review before engagement and periodically thereafter.

12.1 Vendor due diligence

• Security and privacy questionnaire for new vendors
• Review of certifications (SOC 2 Type II, ISO 27001, equivalent)
• Data processing agreements with vendors processing personal data
• Standard Contractual Clauses for EU data transfers where applicable
• Assessment of vendor incident history and reputation

12.2 Ongoing monitoring

• Annual review of critical vendors
• Monitoring of vendor security bulletins and incidents
• Re-assessment triggered by material changes to vendor scope or architecture
• Off-boarding procedures to terminate access and remove data when the relationship ends

Current sub-processor categories are listed in our Data Privacy Policy.

13. Incident Response

Flinque operates a documented incident response program to detect, contain, resolve, and learn from security incidents.

13.1 Detection and triage

• 24/7 monitoring across infrastructure, applications, and identity systems
• Alerting based on anomaly detection, threshold breaches, and indicators of compromise
• On-call rotation with defined escalation paths
• Severity classification within 1 hour of confirmed incident

13.2 Containment and resolution

• Affected systems isolated within 4 hours of confirmed incident
• Root cause investigation with full forensic timeline
• Remediation deployed through emergency change procedures
• Recovery verified before declaring the incident closed

13.3 Notification

Regulatory and customer notification follows our commitments in the Data Privacy Policy, including:

• GDPR regulator notification within 72 hours of a qualifying breach
• Direct customer notification when high risk to rights or freedoms exists
• CCPA consumer notification without unreasonable delay
• State and local law compliance where applicable

13.4 Post-incident review

Every confirmed incident concludes with a written post-incident review capturing timeline, root cause, impact, response effectiveness, and preventive actions. Action items are tracked to completion and reviewed with leadership.

14. Business Continuity and Disaster Recovery

Flinque maintains business continuity and disaster recovery plans to restore service after serious disruptions.

14.1 Architecture for resilience

• Multi-zone production deployment with automated failover
• Database replication with automatic promotion of standby on primary failure
• Geographically separate backup storage with encrypted copies
• Content delivery network distributing static assets globally

14.2 Recovery objectives

Our target recovery metrics for major production disruptions:

• Recovery Time Objective (RTO): restore service within 4 hours of a qualifying disruption
• Recovery Point Objective (RPO): limit data loss to the most recent 1 hour of transactions

14.3 Testing

Disaster recovery procedures are tested at least annually through tabletop exercises and live restore drills. Test results inform plan updates.

14.4 Service continuity communication

During material service disruptions, status updates are communicated through our status page, in-platform notices, and email where appropriate. For SLA commitments and service credits, see our SLA and Service Availability Policy.

15. Compliance and Certifications

Flinque’s security program is designed to align with recognized standards and regulatory frameworks relevant to B2B SaaS.

15.1 Current posture

• Security program aligned with SOC 2 Trust Services Criteria
• Controls mapped to ISO 27001 Annex A
• NIST Cybersecurity Framework used as a reference model
• OWASP application security standards applied across development
• GDPR and CCPA privacy controls integrated into security program (see GDPR Compliance and CCPA Compliance)

15.2 Formal certifications

We are working toward formal SOC 2 Type II attestation and ISO 27001 certification. Timelines and status updates are available to Enterprise customers on request. Where certifications are not yet in place, we provide:

• Security questionnaires (SIG Lite, SIG Core, CAIQ)
• Details of our controls mapping to relevant frameworks
• Summaries of recent penetration tests under NDA
• Sub-processor list and flows documentation

15.3 Cloud provider certifications

Our underlying cloud infrastructure providers hold SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and regional certifications applicable to regulated industries. These certifications are inherited as controls over the infrastructure layer.

16. Responsible Disclosure

Security researchers play an important role in keeping the Flinque platform secure. We welcome good-faith vulnerability reports and work with researchers to fix issues before they can be exploited.

16.1 Scope

In-scope targets for responsible disclosure:

• flinque.com and subdomains (excluding marketing-only pages)
• platform.flinque.com application surface
• api.flinque.com public API

Out-of-scope:

• Social engineering of Flinque team members, customers, or vendors
• Physical security testing of any Flinque facilities
• Denial of service testing against production systems
• Third-party services (Stripe, social platform APIs, etc.)
• Spam, automated scanner output without analysis, and low-impact issues

16.2 Rules of engagement

• Do not access, modify, or delete customer data
• Do not disrupt service availability for other users
• Report vulnerabilities promptly after discovery
• Give us reasonable time to investigate and remediate before public disclosure
• Work with us on coordinated disclosure timelines

16.3 Our commitments

When you submit a report in good faith following these guidelines, we commit to:

• Acknowledge receipt within 1 business day
• Provide initial triage and severity assessment within 5 business days
• Keep you informed of remediation progress
• Not pursue legal action against good-faith researchers
• Offer public credit for valid findings with your consent
• Work with you on a reasonable coordinated disclosure timeline

16.4 How to submit

Submit vulnerability reports through our contact page with the category “Security Concern”. Include a clear description of the vulnerability, reproduction steps, potential impact, and your preferred contact method.