Security Statement - FlowFuse

Security aspects of FlowFuse are divided up into three sections;

  1. Application level
  2. FlowFuse configuration
  3. Organisation


FlowFuse architecture is described on our documentation.

User sessions

Users are identified by an unique combination of username and password, or by a SAML compliant server for Single Sign-on.

User provisioning is on a per user basis.

Multi-factor authentication

FlowFuse support Multi-factor authenication (MFA), also known as 2-factor authentication (2FA) for its users once the user has this configured.

FlowFuse Configuration

Configuration of the FlowFuse application influences security aspects of the system at large. For each section the implementation of FlowFuse Cloud is mentioned too. For self managed installs we advise to follow the choices made by FlowFuse Cloud.

Data storage

Data at Rest

All user data is stored in a relational database.

FlowFuse Cloud: Data is stored in a PostgreSQL database. All data is encrypted since October 2022.

Data residency

Long term data storage is depended on the location of the relational database storage.

FlowFuse Cloud: Data is stored in the European Union, specificially Ireland, on AWS eu-west-1.

Data in Transit

Traffic from external sources to the FlowFuse application can be encrypted. When a load balancer is used, the encryption is terminated on the edge. Internal traffic is not encrypted.

FlowFuse Cloud: Data in transit to and from external sources is protected with SSL/TLS. Encryption is terminated at the edge, both for HTTP and MQTT traffic.

Adding internal SSL/TLS is being investigated.

Inter project communication

Communication between a teams projects is MQTT based. Traffic can be encrypted based on the broker configuration.

FlowFuse Cloud: Inbound and outbound traffic is send encrypted to FlowFuse. The encryption is terminated at the load balancer. Internal traffic is not encrypted.

Service endpoints

It's recommended to run the FlowFuse application and the flow runtimes on different domains. This will create separation of concerns and enhances security for, among others, cookies.

FlowFuse Cloud: Our SaaS offering has multiple service domains. The corporate website is hosted at The application is served at, while the Node-RED instances are served from *

MQTT traffic is served from as MQTT over WebSockets.


Keeping our customer's data secure is dependant on our internal practises too.


FlowFuse obtained the SOC 2 Type 1 certification, audited by Advantage Partners. Currenlty, Advantage Partners is observing FlowFuse practises for us to obtain SOC 2 Type 1.

Security Governance

FlowFuse has information and data policies, the full list can be found in our handbook.

Most notably for (prospective) customers assessing FlowFuse:

  1. Information Security Policy and Acceptable Use Policy
  2. Data Management Policy
  3. Information security awareness training