Security & Privacy

How Florality protects your system data - from sign-in and sharing controls to API access and exports.

  • No selling or renting your personal or system data
  • No AI training or sharing your data with AI providers
  • TLS encryption for data in transit
  • Scoped API keys with per-resource access controls
  • Granular privacy buckets for what you share

Your data stays yours

Florality is built for systems who need a safe home for sensitive information. We do not sell, rent, or trade your data.

Encrypted in transit

Connections between your browser and Florality use industry-standard TLS so traffic stays protected on the wire.

Least-privilege by design

Staff access to infrastructure is restricted. API keys are scoped per resource. Privacy buckets control what friends can see.

Built for plural systems

Security is not an afterthought. Member profiles, fronting, notes, and sharing controls are designed around real system privacy needs.

01

Platform & infrastructure

Florality runs on modern cloud infrastructure with monitoring, backups, and secure defaults across the stack.

Encryption in transit

All traffic between your device and Florality is served over HTTPS with TLS. We do not expose dashboard or API endpoints over plain HTTP.

  • TLS for browser sessions and API traffic
  • HTTPS-only remote media and import fetches
  • Secure session handling through our auth provider

Secure hosting & operations

The platform is hosted on managed infrastructure with automated backups and continuous monitoring. Operational access is limited to authorised personnel.

  • Automated backups to protect against data loss
  • Continuous monitoring for availability and anomalies
  • Restricted infrastructure access on a need-to-know basis

02

Account protection

Sign-in and account security are handled by Clerk, with additional controls available directly in your Florality settings.

Strong sign-in options

Protect your account with modern authentication methods. Florality supports password sign-in alongside stronger options managed in Settings → Account → Security.

  • Passkeys for phishing-resistant sign-in
  • Authenticator app (TOTP) two-factor authentication
  • Backup codes for account recovery

03

Sharing & privacy controls

Florality gives you fine-grained control over what information is visible, and to whom, across members, fields, and profile sections.

Privacy buckets

Assign members, groups, directories, custom fields, and profile sections to privacy buckets. Friends only see content that overlaps with buckets they are allowed to access.

  • Per-resource bucket assignments across your system
  • Default buckets for new members, groups, and fields
  • Friend visibility enforced in server-side services

Cookie & analytics consent

Non-essential cookies and analytics are opt-in. You can accept, reject, or customise preferences at any time from the site cookie banner or footer controls.

  • Analytics and preferences cookies require consent
  • Granular controls for preferences vs analytics
  • Full details in our Privacy Policy

04

API & developer security

The Florality Public REST API uses explicit, least-privilege credentials so integrations only get the access you grant.

Scoped API keys

Each API key sets every resource to No access, Read, or Read + Write. There are no wildcards - you choose exactly what each integration can touch.

  • Per-resource none, read, or read_write scopes
  • Bearer token authentication on every API request
  • Full token shown once at creation; dashboard shows masked prefix

Safe remote fetching

When Florality imports remote images or link previews, server-side fetchers block private networks, local hostnames, and non-HTTPS URLs to reduce SSRF risk.

  • SSRF protection via private IP and local hostname blocking
  • HTTPS-only remote URL validation
  • Content-type and size checks on fetched media

05

Data ownership & portability

You control your information. Export it, understand how we use it, and reach us when you have questions.

Clear data ownership

Your system data belongs to you. We process it to provide the service, not to build advertising profiles or sell lists to third parties.

  • We do not sell or rent personal or system data
  • Staff access to user data only when needed for support you request
  • Privacy Policy explains collection, use, and retention
  • We only use your data to make Florality work for you

Export & transparency

Download a comprehensive export of your Florality data from Settings → Export. JSON, CSV, and HTML preview formats are available.

  • GDPR-style export covering members, notes, settings, and more
  • JSON, CSV, and HTML preview download options
  • Self-serve export from your dashboard

06

Billing security

Paid plans and donations are processed by Stripe. Florality does not store your full card details on our servers.

Responsible disclosure

Found a security issue?

If you believe you have found a vulnerability, please report it to vulnerabilities@floralitys.com with enough detail for us to reproduce it. We take reports seriously and will respond as quickly as we can.

Contact support

Your system deserves a secure home

Start free. Control what you share. Export your data whenever you need it.