Security
Security & Governance
At DataFlowMapper, we understand that data security is paramount. Our architecture is designed for "Short-Term Retention," minimizing risk while providing powerful tools.
Our Security Commitment
At DataFlowMapper, we understand that data security is paramount for implementation and migration teams. We have designed our architecture for "Short-Term Retention," minimizing risk while providing the tools you need to collaborate.
Infrastructure & Compliance
We do not host our own servers. Instead, we leverage world-class, SOC2-compliant infrastructure providers to ensure enterprise-grade security and availability.
Railway (Hosting)
- Region: US-East (Virginia)
- Compliance: SOC 2 Type II
- Role: Secure application hosting and processing
Supabase (Database & Auth)
- Encryption: At-rest and in-transit
- Compliance: SOC 2 Type II, HIPAA
- Role: Authentication and encrypted storage
Vercel (Frontend, Edge & CDN)
- Security: SOC 2 Type II, ISO 27001
- Role: Secure content delivery and edge computing
- Protection: DDoS mitigation & global CDN
Sentry (Monitoring)
- Compliance: SOC 2 Type II, HIPAA
- Role: Real-time error tracking & performance monitoring
- Privacy: PII scrubbing enabled by default
Anthropic (AI Provider)
- Compliance: SOC 2 Type II
- Role: AI logic generation & PDF parsing (opt-in feature)
- Retention: No training on customer data; zero retention under DPA
Data Lifecycle & Retention
Our retention policies ensure that your sensitive client data is never permanently stored by DataFlowMapper unless explicitly saved by you to your secure library.
1. Temporary Retention
Processing occurs on isolated resources to ensure data separation. Source and transformed files are securely stored in an isolated environment for 24 hours to ensure availability for large file operations and download. After this window, an automated process permanently purges the data.
2. Library (User-Controlled)
Mapping logic files and Lookup Tables that you explicitly save to your Team Library are stored with AES-256 encryption at rest. You retain full ownership and can delete these assets at any time.
Governance & Controls
- Row Level Security (RLS): We utilize strict Row Level Security policies at the database layer, ensuring that data is cryptographically isolated to your specific user or team context.
- Automated Hygiene: Scheduled cron jobs run continuously to identify and purge any "orphaned" temporary data, ensuring strict adherence to our retention policies.
- Access Control: Team-based permissions allow you to control who within your organization can view or edit shared Mapping Logic.
AI & Privacy
Our AI features are designed to assist with logic generation without compromising data confidentiality.
- Zero Training & Zero Retention: Under our Data Processing Agreements with OpenAI and Anthropic, your data is not used to train models, and inputs and outputs are not retained by the provider after the request completes.
- Agentic Access, Scoped to Your Job: Our AI assistant operates agentically and may query schema information, field statistics, and rows from your source or transformed data as needed to generate accurate mapping and transformation logic. Access is strictly scoped to the data within the job you are actively working on.
- Optional PII Masking: For teams handling especially sensitive data, PII masking can be enabled to redact detected PII (names, emails, phone numbers, etc.) before any data is sent to the AI provider. This is opt-in and disabled by default, since enterprise data protections are provided contractually through our DPAs.
- Document Parsing: PDF files are parsed via Anthropic, a SOC 2 Type II provider that does not train on customer data and is covered by a Data Processing Agreement.
- Opt-In: AI features are completely optional and can be disabled at the team or user level.
AI workbench for client data onboarding. Built for implementation teams at vertical SaaS.
Book WalkthroughNewsletter
Get the latest updates on product features and implementation best practices.