Security

Technical details about how HiveFlow protects your data and infrastructure.

Architecture Overview

+----------------------------------------------------------+
|                      CLIENT LAYER                         |
|  Browser (React) | Desktop (Electron) | Extension | MCP  |
+--------+-----------------+-----------------+--------+----+
         |                 |                 |        |
         +-----------------+--------+--------+--------+
                                    | HTTPS/WSS + JWT
                                    v
+----------------------------------------------------------+
|             VERCEL CDN (app.hiveflow.ai)                  |
|          Static assets only - NO client data             |
+----------------------------+-----------------------------+
                             | API Calls
                             v
+----------------------------------------------------------+
|      COMPUTE - AWS / GCP / Azure / Oracle / Railway      |
|                                                          |
|  +--------+  +----------+  +------+  +--------------+   |
|  |Auth MW |  |Rate Limit|  | CORS |  | Credit Check |   |
|  +--------+  +----------+  +------+  +--------------+   |
|                                                          |
|  +----------------------------------------------------+  |
|  |       Flow Orchestrator + Node Processors          |  |
|  +-------------------------+--------------------------+  |
+----------------------------+-----------------------------+
                             |
               +-------------+-------------+
               v             v             v
+----------------------------------------------------------+
|                       DATA LAYER                          |
|  +---------+  +-------+  +---------+  +--------------+   |
|  | MongoDB |  | Redis |  | Object  |  | E2B Sandbox  |   |
|  |  Atlas  |  | Cache |  | Storage |  |  (microVM)   |   |
|  |(AES-256)|  | (TLS) |  |  (SSE)  |  | Firecracker  |   |
|  +---------+  +-------+  +---------+  +--------------+   |
+----------------------------------------------------------+
               |
               | via trackedLLMService (billing + audit)
               v
+----------------------------------------------------------+
|                      LLM PROVIDERS                        |
|  +-----------+    +----------+    +----------------+     |
|  | Anthropic |    |  OpenAI  |    |  AWS Bedrock   |     |
|  |  (Claude) |    |   (GPT)  |    |                |     |
|  +-----------+    +----------+    +----------------+     |
+----------------------------------------------------------+

Encryption

At Rest

  • AES-256-GCM with PBKDF2-SHA512 key derivation (10,000 iterations)
  • Unique 16-byte random IV per encrypted value
  • 16-byte authentication tag for integrity verification (GCM)
  • MongoDB Atlas native encryption (AWS EBS)
  • AWS S3 Server-Side Encryption (SSE-S3)

In Transit

  • TLS 1.2+ enforced on all API endpoints
  • WebSocket connections upgrade HTTPS → WSS
  • Authentication tokens sent post-connection (not in URL)
  • All third-party integrations over TLS

Authentication & Access Control

MechanismDetailsStatus
JWT Bearer TokensSigned tokens, 7-day expiry, server-side revocation on logout & password change, validated on every requestActive
OAuth 2.0Google & GitHub SSO for web, desktop, and extensionsActive
MFA (OTP)6-digit code via email, 60s resend cooldownActive
API Keyshf_ prefix, bcrypt hashed, granular scopes (read/write/execute), expirationActive
Enterprise SSO (SAML/OIDC)Integration with corporate identity providersQ3 2026
TOTP (Authenticator)Google Authenticator / Authy supportQ3 2026

Infrastructure Security

Network

  • • CORS whitelist (static + dynamic)
  • • Rate limiting on authentication (brute-force protection)
  • • WebSocket rate limiting (10 conn/IP, 5/user)
  • • SSRF protection on outbound requests (private/metadata IPs blocked)
  • • Credit-based execution limits
  • • Stale connection cleanup (1h timeout)

Code Execution

  • • Isolated micro-VMs (E2B / Firecracker)
  • • Fail-closed: no in-process fallback — code never runs without an isolated sandbox
  • • No server filesystem access
  • • 5-minute execution timeout
  • • Automatic sandbox cleanup

Data Storage

  • • MongoDB Atlas (dedicated cluster)
  • • Connection pooling (5-50 connections)
  • • Auto-retry for reads and writes
  • • Credentials never stored in frontend
  • • S3 signed URLs (24h expiration)

Monitoring

  • • Winston logging (JSON + timestamps)
  • • Real-time WebSocket log streaming
  • • Zombie process detection
  • • CPU/memory monitoring
  • • Orphan process cleanup on startup

Multi-Tenant Isolation

Data & API

  • • Every resource scoped by organization
  • • Per-request org membership verification
  • • Role-based access control (owner / admin / member / viewer)
  • • Dedicated-container mode available for isolated deployments

Real-Time (WebSocket)

  • • Every event scoped to its owner or authorized flow room
  • • Flow-room membership authorized per organization (fail-closed)
  • • No cross-tenant broadcast — unscoped events are dropped
  • • Authenticated sockets required for any tenant data

Credential Handling

1

User enters credentials (LLM API keys, OAuth tokens) through the UI

2

Credentials transmitted over TLS to backend API

3

Encrypted immediately with AES-256-GCM (unique IV + salt per value) before database storage

4

Decrypted only in-memory during workflow execution — never logged, never cached

5

UI only displays boolean status (hasCredentials: true/false) — actual values never sent to frontend

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Email: security@hiveflow.ai
  • Please include steps to reproduce, impact assessment, and any suggested fixes.
  • We commit to acknowledging reports within 48 hours.