Our approach
Security is built into how HarperFlow operates. We collect the minimum data needed to run the service, protect it in transit and at rest, and connect to your sites through official platform APIs rather than storing more than we need.
Encryption
Data is encrypted in transit using TLS and encrypted at rest. Secrets and access tokens are stored encrypted and scoped to the minimum access required to publish on your behalf.
Payment security
All payments are handled by Stripe, a PCI-DSS Level 1 certified provider. Your full card details never touch HarperFlow’s servers — we only receive the tokens Stripe needs to manage your subscription.
Platform credentials
We publish through the official Webflow, WordPress, Shopify, and Wix APIs using scoped authorization. We request only the permissions needed to map collections and publish articles, and you can revoke access at any time from your account.
Access controls
Internal access to production systems is restricted on a need-to-know basis. Enterprise plans add SSO and audit logs for organizations that require centralized access management and traceability.
Infrastructure
The service runs on reputable cloud infrastructure with isolated environments, regular patching, and monitoring. We review our dependencies and configuration for known vulnerabilities.
Responsible disclosure
If you believe you’ve found a security vulnerability, please report it to hello@harperflow.io. We investigate all credible reports promptly and ask that you give us a reasonable opportunity to remediate before public disclosure.
Incident response
We maintain procedures to detect, investigate, and respond to security incidents, and we will notify affected users where required by law.