Security at Flaggity

Every request between your browser, our API, and our database is encrypted using TLS 1.2 or higher. Plain-HTTP traffic to the production domain is automatically redirected to HTTPS, and all internal service-to-service calls stay inside an encrypted private network.

Account records, inspection metadata, NCRs, CAPAs, and audit history are stored in a managed MongoDB cluster with encryption at rest (AES-256). Inspection photos, generated PDFs, and certificates are stored in Emergent Object Storage — each object is scoped to the account that uploaded it and is likewise encrypted on disk.

• Passwords are hashed with bcrypt (cost factor tuned for current hardware). The plaintext password never touches our database or logs.
• Signed-in sessions use short-lived JWT access tokens paired with a rotating refresh token set as a HttpOnly, Secure cookie.
• Tokens expire automatically after a period of inactivity, forcing a fresh login. Logging out revokes the refresh token immediately on the server side.
• Repeated failed login attempts are rate-limited at the IP and email level to defeat credential stuffing and brute-force attacks.

Each facility's data is fully isolated at the application layer. Every query made by the API is scoped to the requesting user's tenant — you can only see inspections, reports, certificates, NCRs, CAPAs, welders, and projects that belong to your own account. Role-based controls further restrict what inspectors, admins, and managers can do inside a tenant (e.g. only admins can change billing or invite team members).

Superadmin operations that cross tenant boundaries (for support or fraud response) are logged to an immutable audit trail and require a separate, environment-bound credential that is not reachable via the regular user API.

When you click Analyze, the relevant photos are sent to Flaggity AI — our inspection analysis engine, powered by enterprise third-party AI infrastructure — over an encrypted channel. The AI returns the defect list, severity, and cited ISO / AWS / OSHA clauses, which are then stored alongside your inspection.

Photos sent to Flaggity AI are processed only to produce the requested analysis. Your images are never used to train external or general-purpose AI models, and inputs are discarded by the underlying processor after the analysis completes.

We run automated daily backups of the primary database with a 30-day retention window. Backups are encrypted, stored in a separate region from the live workload, and periodically test-restored to a staging environment so we know they actually work when we need them.

Flaggity is hosted on enterprise-grade cloud infrastructure with autoscaling, health checks, and automatic failover on the application layer. We target a 99.9% monthly uptime for the production API and customer dashboard. Real-time status and past incidents are communicated to affected accounts by email.

We welcome good-faith security research. If you believe you have found a vulnerability in Flaggity, please email security@flaggity.com with a description and clear reproduction steps. Please give us a reasonable window to investigate and remediate before public disclosure — we will acknowledge your report within 3 business days and keep you updated through the fix.

Please do not run automated scanners, denial-of-service tests, or social-engineering attacks against our staff or customers.

Flaggity is actively working toward SOC 2 Type II certification. Controls covering access management, change management, backup, and incident response are already in place; the formal attestation window is underway.

Enterprise customers who need compliance documentation — a security questionnaire response, DPA, sub-processor list, or an evidence pack for their own audits — should contact support@flaggity.com and we will route the request to our security team.

General security or privacy questions: support@flaggity.com.
Vulnerability reports: security@flaggity.com.