Trust & Security

FormDFlow is operated by Sleet Labs LLC. FormDFlow converts public SEC Form D disclosures into filtered B2B lead alerts. Because our source data is drawn entirely from public SEC EDGAR filings, the only non-public information we hold about you is your account, billing, and filter-configuration data. Our security program is built around that reality: protect the account and configuration data we hold, and operate the surrounding service on hardened, professionally managed infrastructure. This page describes the controls and practices currently in place.

Secure development and testing

Security is built into how we design, write, and ship software. Every code change is peer-reviewed before it is merged to production. Our continuous-integration pipeline runs static application security testing (SAST), software-composition and dependency-vulnerability scanning, and secret-exposure scanning on every pull request and on a recurring schedule; builds fail when new high-severity issues are detected. We perform dynamic application security testing (DAST) against running environments and keep our dependencies patched, with continuous monitoring for newly disclosed advisories.

We also conduct regular security assessments of the live application that combine automated tooling, manual review, and AI security agents that probe the application the way an adversary would. These assessments are currently performed internally and with AI-driven tooling; we do not yet engage a third-party penetration-testing firm, and we make no claim of an external attestation. Our most recent assessment was completed in May 2026, and all identified findings were remediated and re-verified.

Access controls and authentication

Access to customer data is governed by role-based access control and the principle of least privilege: staff and contractors are granted only the access their role requires, and nothing more. Customer data is isolated at the database layer using row-level security with a strict service-role boundary, so one organization’s records can never be read by another.

Internal access to our systems requires single sign-on with mandatory multi-factor authentication (MFA) and is subject to a strong password policy. Endpoint detection and response (EDR) is deployed on all employee and contractor devices. We follow documented onboarding and offboarding procedures that provision access at the start of an engagement and promptly revoke it on role change or departure.

Customers sign in to FormDFlow using Google OAuth or email-and-password authentication with email verification. Passwords are never stored in plaintext; credential handling is performed by our managed authentication provider (see Sub-processors).

Managed infrastructure and data protection

FormDFlowruns on vetted, professionally managed cloud providers rather than self-managed servers. Our application is hosted on Vercel’s global edge network, which provides TLS termination and automatic DDoS mitigation; our database and authentication run on Supabase (managed PostgreSQL); payments are handled by Stripe; and transactional and digest email is delivered through Resend. The full, maintained list of providers is published on our Sub-processors page.

All data is encrypted in transit using TLS, and customer data is encrypted at rest by our database and payment providers (Supabase/PostgreSQL and Stripe). Customer account, billing, and configuration data is held only within these managed providers — we do not copy or store it elsewhere. Payments are processed by Stripe, a PCI-DSS Level 1 service provider, and we never store full payment-card numbers. Application secrets and credentials are kept out of source control, enforced by automated secret scanning in our pipeline. Web responses are hardened with a Content Security Policy, cross-site request forgery (CSRF) origin checks on state-changing endpoints, and minimized server fingerprinting.

Compliance status

FormDFlow does not currently hold a SOC 2 or ISO/IEC 27001 certification, and we do not represent otherwise. On request, we can provide a summary of our most recent security assessment under a non-disclosure agreement; please contact support@formdflow.com or use our contact form.

Responsible disclosure

We welcome reports from security researchers and are committed to working with the community to keep FormDFlow and our customers safe.

How to report

Please send security reports to support@formdflow.com. The same contact is published, in machine-readable form, at /.well-known/security.txt. To help us triage quickly, include a clear description of the issue, the affected URL(s) or component, step-by-step reproduction instructions, and the name or handle you would like credited.

Our commitments

When you report in good faith under this policy, we will work with you to resolve the issue. We aim to acknowledge your report within 48 hours, keep you informed as we investigate, and prioritize confirmed critical issues for expedited remediation (our target is within 7 days, depending on severity and complexity). With your permission, we will credit you once the issue is resolved. These timeframes are good-faith targets, not contractual guarantees or a service-level commitment.

Safe harbor

We consider security research conducted in good faith and consistent with this policy to be authorized conduct. To that extent, we will not pursue or support legal action against you — including under the Computer Fraud and Abuse Act or comparable state laws — for that research, provided that you: act in good faith and stop once you have a viable proof of concept; avoid privacy violations, the destruction or alteration of data, and any degradation or interruption of our service; do not access, modify, or retain data belonging to other users or customers, and if you inadvertently encounter such data, stop, do not store or disclose it, and report it to us promptly; give us a reasonable opportunity to remediate before any public disclosure; and otherwise comply with all applicable laws.

This authorization covers only FormDFlow’s own systems and services. It does notextend to our third-party providers (for example our hosting, database, payment, and email providers), which are governed by their own policies and terms — please do not test them under this policy. We can speak only for FormDFlow: this policy does not bind, and is not a waiver of the rights of, any third party, and it does not cover conduct that falls outside it. If you are unsure whether a specific test is authorized, email support@formdflow.com before proceeding.

Out of scope

Consistent with the safe harbor above, this policy does not authorize testing of our third-party providers’ systems (for example Vercel, Supabase, Stripe, and Resend) — report any issue in those services directly to the provider. In addition, the following are out of scope and not authorized: denial-of-service or volumetric/load testing; social engineering of our staff, customers, or vendors, and physical attacks; and spam, content or UI injection, or reports with no demonstrated security impact.

Bug bounty

A paid bug-bounty program is on our roadmap. Until it launches we do not offer monetary rewards, but we gratefully acknowledge researchers who responsibly disclose valid issues.

For how we handle your personal data, see our Privacy Policy; for the terms governing your use of the service, see our Terms of Service.