CleanFlow Security Statement
Last updated: 15 July 2026.
Security is a shared responsibility. This statement describes the controls built into CleanFlow and the actions customers must take. It is not a certification or guarantee of uninterrupted service.
Platform controls
- authenticated access with server and database authorisation checks;
- tenant-scoped data design and row-level security policies;
- role-based permissions for managers, finance, compliance and frontline users;
- TLS encryption in transit and managed-provider safeguards for data at rest;
- audit trails for material actions and commercial/legal acceptance;
- signed Stripe webhooks and product-scoped checkout metadata;
- upload validation, security logging, backups and recovery procedures; and
- dependency, vulnerability and incident-management processes.
Customer responsibilities
Customers must assign least-privilege roles, remove leavers promptly, protect devices and credentials, review location/photo permissions, validate imports and exports, and report suspected compromise immediately. Do not send passwords or payment card details to support.
Reporting
Report a suspected vulnerability privately to cleanflowsupport@novastacks.co.uk with steps to reproduce and avoid accessing data that is not yours. We will acknowledge and triage good-faith reports and ask that details are not disclosed until a fix can be prepared.
