Security is architecture, not a checkbox.
FlagDrop is designed so your sensitive data never has to leave your infrastructure.
Your flag evaluations never leave your cloud
FlagDrop pushes static config files to your own S3, GCS, or Azure Blob Storage bucket. Your SDKs read locally. No evaluation data is ever sent to FlagDrop servers — we are the control plane, not the data plane.
TLS in transit, AES-256 at rest in your bucket
All communication between the FlagDrop dashboard and API uses TLS 1.3. Config files pushed to your cloud storage inherit your bucket encryption settings — AES-256 by default on all major cloud providers.
Clerk-powered auth, RBAC, API key scoping
Authentication is powered by Clerk with SSO support. Role-based access control lets you scope permissions per project and environment. API keys are scoped to specific projects with configurable read/write permissions.
PostgreSQL Row-Level Security, zero cross-org data access
Every database query is filtered through PostgreSQL Row-Level Security policies. There is no application-level filtering to bypass — isolation is enforced at the database engine level.
SOC 2 Type II (in progress), GDPR compliant
We are actively pursuing SOC 2 Type II certification. FlagDrop is GDPR compliant by architecture — we process minimal personal data, and flag evaluation data stays entirely in your infrastructure.
Report a vulnerability
Found a security issue? We take every report seriously. Please email us at security@flagdrop.io with details and we will respond within 24 hours.