At Flock, we take security very seriously. We use the best industry practices available to make sure that Flock is secure.
SOC 2 Compliant
Flock is now SOC 2 compliant. This means Flock follows very strict, best-in-class, audited processes to ensure the safety and integrity of user information.
All traffic between Flock clients and servers is encrypted using TLS 1.2, the industry standard for securing communications over the Internet. AES is our preferred cipher for encrypting all communication, and where available, perfect forward secrecy is used to protect against compromise of long-term private keys.
Data Center Security
Our servers are hosted in the cloud by Amazon's AWS web services. The AWS cloud infrastructure is designed for security, constantly monitored, highly available and highly accredited. More details can be found on the AWS Cloud Security Page.
One of our driving principles with regards to privacy is that any message that you send on Flock should only be visible to participants in that conversation and no one else. As a result, no third person can access messages exchanged in a one-to-one conversation, and only members of a private channel have access to messages exchanged in that private channel.
Apart from your name and profile picture, which is available to the public, all other profile data is only visible to users within your organization.
Secure by Design
All our software is designed from the ground up to be secure. Care has been taken to minimize impact in case a security vulnerability is discovered.
Our security assurance process ensures that security requirements have been established for all software used in Flock, whether on the client or on the server. Security requirements are established for software development and operations & maintenance processes. Each code review includes an evaluation of the security requirements. We regularly perform an evaluation of software security and requirements.
Strict controls have been placed over employees' access to user data. From time to time, for debugging purposes, we might need to access sensitive user data. Any such access only takes place after obtaining consent from the affected users, and an audit entry is generated for each access. A very limited number of employees have permission to access sensitive user data.