Legal & compliance centre

Product-specific documents governing CleanFlow. GuardFlow agreements and policies remain separate.

Browse policies

CleanFlow Security Statement

Last updated: 15 July 2026.

Security is a shared responsibility. This statement describes the controls built into CleanFlow and the actions customers must take. It is not a certification or guarantee of uninterrupted service.

Platform controls

  • authenticated access with server and database authorisation checks;
  • tenant-scoped data design and row-level security policies;
  • role-based permissions for managers, finance, compliance and frontline users;
  • TLS encryption in transit and managed-provider safeguards for data at rest;
  • audit trails for material actions and commercial/legal acceptance;
  • signed Stripe webhooks and product-scoped checkout metadata;
  • upload validation, security logging, backups and recovery procedures; and
  • dependency, vulnerability and incident-management processes.

Customer responsibilities

Customers must assign least-privilege roles, remove leavers promptly, protect devices and credentials, review location/photo permissions, validate imports and exports, and report suspected compromise immediately. Do not send passwords or payment card details to support.

Reporting

Report a suspected vulnerability privately to cleanflowsupport@novastacks.co.uk with steps to reproduce and avoid accessing data that is not yours. We will acknowledge and triage good-faith reports and ask that details are not disclosed until a fix can be prepared.