Security & Trust
Flaggy is built so that the most sensitive data — your users — never reaches us. Flags evaluate locally in your SDK, so there's no stream of per-user requests to secure in the first place. Here's how we handle the data we do hold.
We never see your users
Flags are evaluated client-side in your SDK. Flaggy never processes or stores individual user evaluations — there is no per-user data flowing to our servers to begin with.
Keys are hashed before storage
When the SDK records flag analytics, the entity key in your evaluation context is hashed before it is stored. We retain aggregate evaluation data, not raw identifiers.
Encrypted in transit and at rest
All traffic to Flaggy is served over TLS. Flag rules, configuration, and account data are encrypted at rest.
Least-privilege access
Access to production systems is restricted to the engineers who need it, and every flag and configuration change is captured in an immutable audit log.
Sub-processors
We use a small number of trusted third parties to operate the service. We do not sell your data.
| Provider | Purpose | Region |
|---|---|---|
| Cloudflare | Application hosting, CDN, and DDoS protection | Global edge |
| Stripe | Payment processing and billing | United States / EU |
Compliance & data requests
GDPR & DPA. Because flags evaluate client-side, Flaggy processes minimal personal data. A Data Processing Agreement is available to customers on request — email [email protected].
SOC 2. A formal SOC 2 program is on our roadmap. If your procurement process requires it, get in touch and we'll share where we are and what we can provide in the meantime.
Enterprise controls. SSO/SAML, custom audit-log retention, an SLA, and a self-hosted deployment option are part of our Enterprise roadmap.
Reporting a vulnerability
If you believe you've found a security issue, please email [email protected] with the details. We'll acknowledge your report, investigate promptly, and keep you updated on the fix. We appreciate responsible disclosure and won't pursue action against good-faith research.