Security Statement - FlowFuse

Security aspects of FlowFuse are divided up into two sections, configuration and application level. Application level security aspects apply to both self managed and FlowFuse managed instances.


User sessions

Users are identified by an unique combination of username and password, or by a SAML compliant server for SSO.

User provisioning is on a per user basis.


Configuration of the FlowFuse application influences security aspects of the system at large. For each section the implementation of FlowFuse Cloud is mentioned too. For self managed installs we advise to follow the choices made by FlowFuse Cloud.

Data storage

Data at Rest

All user data is stored in a relational database, which are encrypted by default for all install methods except local.

FlowFuse Cloud: Data is stored in a PostgreSQL database. All data is encrypted since October 2022.

Data residency

Long term data storage is depended on the location of the relational database storage.

FlowFuse Cloud: Data is stored in the European Union, specificially Ireland, on AWS eu-west-1.

Data in Transit

Traffic from external sources to the FlowFuse application can be encrypted. When a load balancer is used, the encryption is terminated on the edge. Internal traffic is not encrypted.

FlowFuse Cloud: Data in transit to and from external sources is protected with SSL/TLS. Encryption is terminated at the edge, both for HTTP and MQTT traffic.

Adding internal SSL/TLS is being investigated.

Inter project communication

Communication between a teams projects is MQTT based. Traffic can be encrypted based on the broker configuration.

FlowFuse Cloud: Inbound and outbound traffic is send encrypted to FlowFuse. The encryption is terminated at the load balancer. Internal traffic is not encrypted.

Service endpoints

It's recommended to run the FlowFuse application and the flow runtimes on different domains. This will create separation of concerns and enhances security for, among others, cookies.

FlowFuse Cloud: Our SaaS offering has multiple service domains. The corporate website is hosted at The application is served at, while the Node-RED instances are served from *

MQTT traffic is served from as MQTT over WebSockets.