Security & data handling
What we store, where it lives, and who processes it. Written for the reviewer who has to sign off on a subscription — plainly, without badge inflation.
What data Port Flow processes
The product runs on public AIS data (vessel positions, static voyage data) and derived analytics. None of that is personal data.
Personal data we do process: account email and name (authentication), billing details (handled by Stripe — card numbers never touch our servers), alert configurations, and standard web logs.
Encryption
All traffic is TLS 1.2+ end to end (Cloudflare edge + Let's Encrypt at origin). Data at rest lives on encrypted volumes (LUKS-encrypted block storage on our EU host). Secrets are stored in environment configuration, never in the repository.
GDPR posture
Port Flow is operated from France by OCTOPODUS (Laurent Guglielmetti EI, SIREN 491 489 654) and hosted in the EU. Account and billing data are processed under Art. 6(1)(b) (contract performance).
Deletion: close your account and every associated record (alerts, integrations, subscription state) is removed; Stripe retains invoices for statutory accounting periods. Export or deletion requests: [email protected]. A signed DPA is available on request for paid plans.
Subprocessors
- DigitalOcean (EU) — application hosting and database
- Cloudflare — CDN, TLS, DDoS protection, web analytics
- Clerk — authentication
- Stripe — payments and invoicing
- Sentry — error monitoring (scrubbed of personal data)
- Resend (EU sending region) — transactional email and briefs
- Zoho Mail (EU) — support mailbox
What we don't claim
No SOC 2 or ISO 27001 certification yet — Port Flow is a deliberately small operation, and we'd rather state that plainly than imply otherwise. What you get instead: a documented methodology, a public accuracy benchmark, a public status page, and a founder you can reach directly.