e-flow

Trust & security

Security approach

We protect business-critical workflows for Ghanaian teams with practical controls, transparent communication, and security-first operations. We do not claim controls that are not yet live.

Workspace-isolated data boundaries
Role-aware access and server enforcement
Payment security via trusted processors

Security baseline

This page describes our security posture in plain language. Where something is still being hardened or planned, we say so — we do not claim certifications or features that are not in place.

Account and workspace structure

e-flow is designed around isolated workspaces (organizations). Users belong to a workspace through membership and role assignments. Data queries are intended to be scoped per workspace; we continue to audit routes and server logic as part of beta readiness.

Authentication

Sign-in is handled through our authentication provider (Clerk). Session protection, passwordless options, and provider-managed threat signals depend on that integration and your DNS / environment configuration being correct.

Role-based access

The product is designed to support role-based permissions so owners can limit billing, exports, or sensitive operations. Enforcement must exist on the server for every protected action — we treat any client-only check as a UX hint, not security.

Data ownership

Your business records belong to your organization. We do not sell customer lists. Operational backups and export tooling are being prepared so owners can move data on fair terms; timelines will be communicated before public launch where possible.

Payments

When card or mobile-money checkout is enabled, charges are processed through trusted providers such as Paystack. e-flow does not store full card PANs; we handle payment metadata and reconciliation states the product needs for operations.

Audit logs

Deeper audit trails for compliance-style reviews are planned and will roll out as modules mature — not all surfaces expose immutable audit history today.

Vulnerability reporting and response

If you identify a potential vulnerability, send a responsible disclosure with reproduction steps, affected URLs, expected impact, and screenshots where possible. We prioritize triage based on user risk and respond with fix windows appropriate to severity.

Beta rollout

Controlled beta means we onboard teams deliberately, watch failure modes, and fix issues before scaling traffic. If you discover a vulnerability, email us at our support address with reproduction details.

Security communication

For a technical checklist of gaps and priorities, see SECURITY_READINESS.md in the repository.

For security questions or reports, contact us at our support address.

Back to home
Last updated: May 2026. This page evolves as controls, monitoring, and incident processes mature.