OkFlow
EN ES
Coming Soon Book a demo
โ—Ž CAPTURE
โ—Ž MANAGE
๐Ÿ”’acme.com
OkFlow
A modern web
experience.
1 2
Visual feedback. Shipped.
Book a demo
โ—Ž FOR YOUR TEAM
OkFlow
EN ES
Coming Soon Book a demo
SOC 2 TYPE II ยท ISO 27001 ยท GDPR

Security as a first principle, not an afterthought.

OkFlow is built on a hardened cloud foundation with end-to-end encryption, scoped permissions, audited code, and predictable incident response. Procurement-ready from day one.

Book Demo Coming Soon

Download trust report ยท Talk to our security team

โ—Ž Defense in depth

Six layers, one standard.

01
๐Ÿ”

AES-256 at rest, TLS 1.3 in transit

Customer data is encrypted on every disk and over every wire. Per-tenant encryption keys, automatically rotated.

02
๐Ÿ”‘

SSO, SCIM, role-based access

SAML, OIDC, SCIM provisioning. Workspace owners control roles, projects, and reviewer permissions down to the URL.

03
๐Ÿ—

AWS multi-AZ, isolated tenants

Hosted in AWS us-east-1 + eu-west-1. Logical tenant isolation. Daily encrypted backups, 99.95% uptime SLA on Enterprise.

04
๐Ÿ”ฌ

Audited, dependency-scanned

Every PR reviewed. Snyk + Dependabot in CI. Annual third-party penetration tests. Bug bounty program live since 2023.

05
๐Ÿ—‚

You own your data, always

No model training, no third-party selling. Export anytime in JSON. Hard-delete on workspace close, verified within 30 days.

06
๐Ÿ“ก

24/7 monitoring + incident response

On-call rotation. Documented incident response with notification SLAs. Public status page. Quarterly disaster recovery drills.

โ—Ž Data handling

What we collect, where it lives.

01

Account + workspace metadata

Stored in US or EU (your choice) for the lifetime of your account.

02

Comments + screenshots

Stored in US or EU (your choice) for the lifetime of your project.

03

Browser context (errors, viewport)

Stored in US or EU (your choice). Retained 90 days, then aggregated.

04

Audit logs

US or EU (your choice). Retained 2 years; Enterprise: 7 years.

05

Backups

Same region, multi-AZ. Rolling 30-day retention.

06

Deleted data

Hard-deleted and verified within 30 days of workspace close.

โ—Ž Compliance & certifications

Certifications your procurement team knows.

  • โœ“ SOC 2 Type II
  • โœ“ ISO 27001:2022
  • โœ“ GDPR compliant
  • โœ“ CCPA compliant
  • โœ“ HIPAA available
  • โœ“ EU DPA + SCCs
โ—Ž Security FAQ

What enterprises ask first.

Where is data stored?

You choose US or EU at workspace creation. Region pinning is enforced at the database tier, not just the application layer.

Is OkFlow SOC 2 certified?

Yes. OkFlow holds a SOC 2 Type II report. We share it under NDA with enterprise customers and procurement teams on request.

Can we get a custom DPA?

Yes. Standard DPA is available immediately. Custom MSA + SCCs are supported. Sub-processor list is maintained publicly.

How quickly do you respond to security questionnaires?

We turn around security questionnaires in 5 business days. A vendor risk packet (pen test summary, DPA template, and sub-processor list) is ready to share on request.

Does the browser extension read sensitive data?

No. The extension activates only when you trigger it explicitly. It never reads passwords, cookies, or auth tokens. Per-workspace domain allowlists are available for IT governance. The manifest is open-source.

Bring the trust packet to your next review.

Download our latest SOC 2 report, security whitepaper, and DPA template, or talk to our security team directly.

Book Demo Coming Soon