Skip to content
Security

Security and trust at AgencyFlow

Agencies hold sensitive client work. AgencyFlow is built around the access control, identity, and audit requirements that procurement and IT teams review, with controls designed for SOC 2 workflows.

SOC 2-ready

Built around SOC 2 control workflows

GDPR-aligned

DPA and data-subject request support

SAML SSO

Okta, Entra ID, Google

SCIM 2.0

Automated provisioning

AES-256

Encryption at rest

MFA enforced

Workspace-level policy

Badges describe AgencyFlow product capabilities and security posture. They do not represent a completed third-party audit or certification.

Access & identity

Role-based access control

Workspace, team, project, and client roles with granular permissions down to the field and action level.

SSO and SAML

Single sign-on through your identity provider with SAML 2.0, so staff use the credentials they already have.

SCIM provisioning

Automatic user provisioning and deprovisioning keeps access in sync as people join, move, or leave.

Enforced MFA

Require multi-factor authentication for staff at the workspace level, with session and device controls.

Immutable audit logs

Every approval, file change, and permission edit is recorded with actor, timestamp, IP, and source.

Encryption in transit and at rest

Data is encrypted with TLS 1.2+ in transit and AES-256 at rest, with configurable retention.

Client access controls

Scoped portals expose only the projects, files, and invoices each client is explicitly granted.

Data export and portability

Full workspace export on demand in open formats, with regional storage options for residency.

Role scopes

OwnerFull workspace, billing, security
AdminMembers, integrations, automations
ManagerProjects, approvals, financials
MemberAssigned projects and tasks
ClientGranted portals only

Data handling

Encryption

TLS 1.2+ in transit and AES-256 at rest across all customer data and file storage.

Infrastructure

Hosted on hardened cloud infrastructure with network isolation and least-privilege access.

Backups & retention

Automated backups with configurable retention and on-demand workspace export.

Responsible disclosure

Found a potential vulnerability? We welcome reports from security researchers and aim to acknowledge them within two business days.

security@agencyflow.com