Enterprise Security for Every Firm
Your clients trust you with their most sensitive information. We take that responsibility seriously.
SOC2 Type II Certified
Built with Security at Every Layer
Flextract is SOC2 Type II certified, meaning our security controls have been independently audited and verified over time—not just at a single point.
This certification demonstrates our commitment to:
- Security — Protecting your data from unauthorized access
- Availability — Ensuring reliable access when you need it
- Confidentiality — Keeping your information private
Data Protection
Encryption
- AES-256 encryption at rest for all databases and file storage
- TLS 1.3 encryption for all data in transit
- Encryption keys managed with automatic rotation
Access Controls
- Role-based access control (RBAC) with principle of least privilege
- Multi-factor authentication (MFA) required for all accounts
- Quarterly access reviews to ensure proper authorizations
AI Security & Data Privacy
- Enterprise AI models only—not consumer ChatGPT
- Your data is NEVER used to train AI models
- Data processed and deleted—not stored by AI providers
Infrastructure & Monitoring
- Hosted on AWS and GCP with multi-region redundancy
- 24/7 monitoring with CloudWatch/CloudTrail and security agents
- Customer data logically separated with unique identifiers
Frequently Asked Questions
Your data is stored on Amazon Web Services (AWS) and Google Cloud Platform (GCP) infrastructure in the United States, with replication across multiple regions for redundancy and disaster recovery. All data is encrypted at rest using AES-256 and in transit using TLS 1.3.
We retain your data for as long as your account is active. You can delete individual documents or client records at any time. After account closure, data is retained for 90 days before permanent deletion.
Yes. You can delete individual documents, client records, or request complete account deletion at any time through your account settings or by contacting support. Data will be permanently removed in accordance with our retention policy.
No. Your data is NEVER used to train AI models. We use enterprise AI services with strict data processing agreements. Your information is processed and then deleted by our AI providers—it is never stored or used for model training.
We have incident response procedures in place and test them annually. In the event of a breach involving sensitive customer information, we will notify affected firms within 72 hours in accordance with SEC Regulation S-P service provider requirements, enabling you to meet your own notification obligations. We provide detailed information about the incident and remediation steps.
Employee access to production data is disabled by default and requires explicit approval on a case-by-case basis. All access is logged, monitored, and reviewed quarterly to ensure it remains appropriate.