RenewFlow

Security

Last updated: 18 June 2026

Fire-safety compliance data is sensitive, and our customers rely on it. This page describes the practical measures we take to protect it. We describe only measures we actually use — we don't claim certifications we don't hold.

Data encryption

  • In transit: all traffic to RenewFlow is served over HTTPS/TLS.
  • At rest: data is stored on managed cloud infrastructure that encrypts data at rest.
  • Sensitive secrets are additionally encrypted at the application layer before storage.

Secure authentication

  • Passwords are never stored in plain text — they are stored only as a salted, one-way hash.
  • Sessions use short-lived access tokens with refresh, so credentials aren't re-sent on every request.
  • Optional email verification and self-service password reset are built in.

Role-based access control

Access within an account is governed by roles (for example admin, office staff, and field engineer). Each role is granted only the permissions it needs, so users see and do only what is appropriate to their job. Field engineers, for instance, cannot reach back-office administration.

Tenant isolation

RenewFlow is multi-tenant. Every record is scoped to the organisation that owns it, and requests are checked so that one organisation can never access another's data.

Audit logs and compliance records

Significant actions in the platform are recorded in an audit trail — who did what, and when. Certificates carry their own verification record, and key compliance events are retained so you can demonstrate a clear history to insurers, auditors, or a fire officer.

Backups and recovery

The application database is hosted on a managed provider with automated backups, supporting recovery in the event of a failure. Your records are not the only copy sitting on a single machine.

Access controls (internal)

Internal access to production systems is limited to the people who need it to operate and support the service, on a least-privilege basis. We use reputable cloud providers and avoid sharing credentials.

Document & file security

Certificate PDFs and uploaded documents are served through access-controlled links rather than left openly accessible, so a document URL alone does not grant indefinite public access.

Payments

Card payments are handled entirely by Stripe on their hosted, PCI-compliant checkout. Full card details never touch RenewFlow's servers (PCI DSS SAQ-A scope).

Infrastructure

RenewFlow runs on established cloud infrastructure within the EU, with the database, file storage, and application hosted on managed, reputable providers. We keep our software and dependencies current.

Reporting a vulnerability

If you believe you've found a security issue, please tell us at support@therenewflow.co.uk. We welcome responsible disclosure and will work with you to investigate and resolve genuine issues. Please don't run intrusive tests against production without our prior written permission.

Security is continuous work, not a checkbox. As RenewFlow grows we will keep strengthening these measures — and we'll describe them honestly here.

← Back to home