Security isn't a feature here. It's the foundation.

Every credential and field mapping is encrypted before it ever reaches our database, using libsodium authenticated encryption, primitives trusted across the security industry. Each customer is sealed with its own dedicated key. In transit, everything travels over TLS, and your database and job queue have no public internet exposure at all. At no point, at rest or in flight, does your sensitive data sit in the clear.

We run what we call a cell-of-one architecture. Every paying customer gets a dedicated, isolated environment: its own database, its own job queue, its own background worker, and its own encryption key. Nothing is shared and nothing is commingled. With no shared tables to cross, one customer's data simply cannot reach another's.

The API keys and passwords you connect are decrypted only at the exact moment a flow runs, never cached, and never written to logs, where passwords, secrets, tokens and keys are automatically redacted. Once saved, a credential can be rotated or replaced, but it is never shown again to anyone, including you. What is never displayed cannot leak from a screen or a log.

Account passwords are hashed with scrypt, a deliberately memory-hard algorithm designed to defeat brute-force cracking. Sessions ride in signed, http-only, strict same-site cookies. Internal service-to-service calls authenticate with bearer tokens compared in constant time, so an attacker learns nothing from how long a comparison takes.

Every inbound webhook is verified with an HMAC signature using a constant-time comparison hardened against timing and length attacks. A request with a missing or invalid signature is rejected outright. We return a 401, never a silent success that would let a forged event through. Bad data never makes it into your systems.

Every meaningful action (a credential created, rotated or deleted, a flow changed, a webhook received and processed) is written to an append-only audit log scoped to your workspace. You always have a precise, ordered record of what happened, when, and to what.

Integrations are where real-world damage happens, so we engineer against it. Idempotency keys and de-duplicated jobs ensure a retry never double-posts a bill or an order. Where a system supports OAuth 2.0 we use it, refreshing and storing tokens encrypted instead of holding long-lived passwords.

We built an encrypted backup engine, so every backup is encrypted before it leaves the database using the same authenticated encryption that protects your credentials. We treat your connected systems as the authoritative system of record for your data.