Userflow SecurityAt Userflow, security is our absolute highest priority. In the spirit of openness and transparency, here are some of the security measures we take to protect and defend the Userflow platform.
SOC 2 Type 2 CompliantTo prove our high commitment to strong security, availability and privacy, we have gone through SOC 2 Type 2 certification with the help of Drata and Johanson Group LLP.
We protect your dataAll data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure.
Your users’ data never leaves our serversWe distinguish between data about your users and data about you, yourself. While, for example, your billing information is shared with Stripe, and your profile is accessible to us in our help desk software, any data about your users are never shared with any external providers, and never leaves our server cluster hosted with Google Cloud Platform.
We don’t collect information from your users’ browsersWhen Userflow.js is installed in your app, the only information that’s required to be sent to Userflow is the current user’s ID (or a hash of the ID, if you don’t want to share the ID either). Any user attributes you want to include is completely in your control. By default, Userflow also tracks page views including the current URL, but this can be turned off.To be perfectly clear: Userflow does not collect any information from your users’ browsers. All logic such as “whether an element is present” or “what the value of a text input is” is handled 100% client-side and never leaves the browser.
Encrypting data in transitWhenever your data is in transit between you (or your users) and us, everything is encrypted, and sent using HTTPS.During a user agent’s (typically a web browser) first site visit, Userflow sends a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link to Userflow is specified as HTTP. Additionally, we use HSTS preload, guaranteeing that requests are never – not even the very first – made over a non-encrypted connection. Cookies are also set with a secure flag.
Encrypting data at restAny files that you upload to us are stored and are encrypted at rest using Google Cloud Storage.Flows/tour content, user attributes and events is stored in our Google Cloud SQL instance (Postgres), which also uses encryption at rest.Our backups of your data are likewise encrypted.
Hosted on Google Cloud PlatformUserflow is hosted on Google Cloud Platform. Our database is managed by Google Cloud SQL, ensuring redundancy, high availability and trustworthy automated, encrypted backups.Google Cloud Platform is certified for a growing number of compliance standards and controls, and undergoes several independent third party audits to test for data safety, privacy, and security. Read more about the specific certifications on the GCP compliance page.
Concurrency and rate limitingWe employ several layers to protect against abuse and DoS attacks, such as concurrency limiting (limits number of active requests) and rate limiting (limits number of requests over time). Our servers gracefully queue requests when under high load, and handles them at a safe pace.
Organizational practicesWe operate under the principle of least privilege: Employees are assigned the lowest level of access that allows them to do their work.
Two-factor authentication is enforced in all sensitive systems.
All employees are required to use approved password managers (like Lastpass or 1Password) to generate and store strong passwords that are never reused.
All employees are required to encrypt local hard drives and enable screen locking for device security.
All access to application admin functionalities is restricted to a small subset of Userflow staff.
We never store customer data on personal devices (like laptops).
Two-factor authentication is enforced in all sensitive systems.
All employees are required to use approved password managers (like Lastpass or 1Password) to generate and store strong passwords that are never reused.
All employees are required to encrypt local hard drives and enable screen locking for device security.
All access to application admin functionalities is restricted to a small subset of Userflow staff.
We never store customer data on personal devices (like laptops).
Development practicesAll code changes are thoroughly tested through our Continuous Integration software.
All code changes is tested in a staging environment before deploying to production.
We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
We use several tools and services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.
Logs are permanently deleted after 14 days.
All code changes is tested in a staging environment before deploying to production.
We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
We use several tools and services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.
Logs are permanently deleted after 14 days.
Penetration testingOn top of our development-related continuous testing, we also conduct periodic third-party manual penetration testing of both our application and infrastructure. You can request a copy of our latest report at security@userflow.com.
Regularly-updated infrastructureOur software infrastructure is updated regularly with the latest security patches. Our products run on a dedicated network which is locked down with firewalls and carefully monitored. While perfect security is a moving target, we work with security researchers to keep up with the state-of-the-art in web security.
We protect your billing informationAll credit card transactions are processed via Stripe using secure encryption—the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-Compliant network.
Have a concern? Need to report an incident?Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Send urgent or sensitive reports directly to security@userflow.com. We’ll get back to you as soon as we can, usually within 24 hours. Please follow up if you don’t hear back. For requests that aren’t urgent or sensitive: submit a support request.Keeping customer data safe and secure is a huge responsibility and a top priority. We work hard to protect our customers from the latest threats. Your input and feedback on our security is always appreciated.
Additional policiesAcceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Deletion Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Data Classification Policy
Data Deletion Policy
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Life Cycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Ready to put these
ideas into practice?Userflow helps teams design, deliver, and improve in-app experiences across onboarding,
adoption, and support, without engineering bottlenecks
ideas into practice?Userflow helps teams design, deliver, and improve in-app experiences across onboarding,
adoption, and support, without engineering bottlenecks
Product adoption insights, straight to your inbox
Practical tips, real examples & best practices for building better in-app experiences.
Practical tips, real examples & best practices for building better in-app experiences.
Enter your email
By subscribing, you agree to receive product and content emails from Userflow. Unsubscribe anytime.© 2026 Userflow
Privacy PolicyTerms of ServiceCookies Settings
Product