Security
Technical details about how HiveFlow protects your data and infrastructure.
Architecture Overview
+----------------------------------------------------------+
| CLIENT LAYER |
| Browser (React) | Desktop (Electron) | Extension | MCP |
+--------+-----------------+-----------------+--------+----+
| | | |
+-----------------+--------+--------+--------+
| HTTPS/WSS + JWT
v
+----------------------------------------------------------+
| VERCEL CDN (app.hiveflow.ai) |
| Static assets only - NO client data |
+----------------------------+-----------------------------+
| API Calls
v
+----------------------------------------------------------+
| COMPUTE - AWS / GCP / Azure / Oracle / Railway |
| |
| +--------+ +----------+ +------+ +--------------+ |
| |Auth MW | |Rate Limit| | CORS | | Credit Check | |
| +--------+ +----------+ +------+ +--------------+ |
| |
| +----------------------------------------------------+ |
| | Flow Orchestrator + Node Processors | |
| +-------------------------+--------------------------+ |
+----------------------------+-----------------------------+
|
+-------------+-------------+
v v v
+----------------------------------------------------------+
| DATA LAYER |
| +---------+ +-------+ +---------+ +--------------+ |
| | MongoDB | | Redis | | Object | | E2B Sandbox | |
| | Atlas | | Cache | | Storage | | (microVM) | |
| |(AES-256)| | (TLS) | | (SSE) | | Firecracker | |
| +---------+ +-------+ +---------+ +--------------+ |
+----------------------------------------------------------+
|
| via trackedLLMService (billing + audit)
v
+----------------------------------------------------------+
| LLM PROVIDERS |
| +-----------+ +----------+ +----------------+ |
| | Anthropic | | OpenAI | | AWS Bedrock | |
| | (Claude) | | (GPT) | | | |
| +-----------+ +----------+ +----------------+ |
+----------------------------------------------------------+Encryption
At Rest
- ✓AES-256-GCM with PBKDF2-SHA512 key derivation (10,000 iterations)
- ✓Unique 16-byte random IV per encrypted value
- ✓16-byte authentication tag for integrity verification (GCM)
- ✓MongoDB Atlas native encryption (AWS EBS)
- ✓AWS S3 Server-Side Encryption (SSE-S3)
In Transit
- ✓TLS 1.2+ enforced on all API endpoints
- ✓WebSocket connections upgrade HTTPS → WSS
- ✓Authentication tokens sent post-connection (not in URL)
- ✓All third-party integrations over TLS
Authentication & Access Control
| Mechanism | Details | Status |
|---|---|---|
| JWT Bearer Tokens | Signed tokens, 7-day expiry, server-side revocation on logout & password change, validated on every request | Active |
| OAuth 2.0 | Google & GitHub SSO for web, desktop, and extensions | Active |
| MFA (OTP) | 6-digit code via email, 60s resend cooldown | Active |
| API Keys | hf_ prefix, bcrypt hashed, granular scopes (read/write/execute), expiration | Active |
| Enterprise SSO (SAML/OIDC) | Integration with corporate identity providers | Q3 2026 |
| TOTP (Authenticator) | Google Authenticator / Authy support | Q3 2026 |
Infrastructure Security
Network
- • CORS whitelist (static + dynamic)
- • Rate limiting on authentication (brute-force protection)
- • WebSocket rate limiting (10 conn/IP, 5/user)
- • SSRF protection on outbound requests (private/metadata IPs blocked)
- • Credit-based execution limits
- • Stale connection cleanup (1h timeout)
Code Execution
- • Isolated micro-VMs (E2B / Firecracker)
- • Fail-closed: no in-process fallback — code never runs without an isolated sandbox
- • No server filesystem access
- • 5-minute execution timeout
- • Automatic sandbox cleanup
Data Storage
- • MongoDB Atlas (dedicated cluster)
- • Connection pooling (5-50 connections)
- • Auto-retry for reads and writes
- • Credentials never stored in frontend
- • S3 signed URLs (24h expiration)
Monitoring
- • Winston logging (JSON + timestamps)
- • Real-time WebSocket log streaming
- • Zombie process detection
- • CPU/memory monitoring
- • Orphan process cleanup on startup
Multi-Tenant Isolation
Data & API
- • Every resource scoped by organization
- • Per-request org membership verification
- • Role-based access control (owner / admin / member / viewer)
- • Dedicated-container mode available for isolated deployments
Real-Time (WebSocket)
- • Every event scoped to its owner or authorized flow room
- • Flow-room membership authorized per organization (fail-closed)
- • No cross-tenant broadcast — unscoped events are dropped
- • Authenticated sockets required for any tenant data
Credential Handling
1
User enters credentials (LLM API keys, OAuth tokens) through the UI
2
Credentials transmitted over TLS to backend API
3
Encrypted immediately with AES-256-GCM (unique IV + salt per value) before database storage
4
Decrypted only in-memory during workflow execution — never logged, never cached
5
UI only displays boolean status (hasCredentials: true/false) — actual values never sent to frontend
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly:
- Email: security@hiveflow.ai
- Please include steps to reproduce, impact assessment, and any suggested fixes.
- We commit to acknowledging reports within 48 hours.