Security Policy

1. Our Commitment

Security is fundamental to LoanFlow. We handle sensitive mortgage data and take every precaution to protect it.

2. Data Encryption

• All credentials encrypted with Fernet symmetric encryption
• HTTPS/TLS for all data in transit
• Passwords hashed with Werkzeug
• HubSpot tokens encrypted at rest

3. Access Controls

• Complete tenant data isolation
• Every database query scoped to tenant
• Role-based access control
• Brute force protection (5 attempts then 15 minute lockout)
• Session expiry after 24 hours
• CSRF tokens on all forms

4. Audit Logging

• All logins logged with IP address
• Failed login attempts tracked
• Admin actions logged
• Plan changes logged
• Security events captured

5. Infrastructure

• Hosted on Railway cloud platform
• Automated daily backups
• Rate limiting on all API endpoints
• Security headers on all responses

6. Vulnerability Disclosure

If you find a security issue:

• Email: info@quantiumtechnologies.com
• Subject: Security Vulnerability Report
• We respond within 24 hours

7. Subprocessors

• Railway — Cloud hosting
• ICE Mortgage Technology — LOS API
• HubSpot Inc. — CRM API
• Anthropic — AI processing
• GoDaddy (Microsoft 365) — Email