Platform / Trust & Security

Unparalleled Assurance and Reliability

Enterprise-grade security is built into every layer of the FloQast platform. We operate on industry-leading infrastructure, enforce best practices throughout the software development lifecycle, and meet compliance standards like GDPR and CPRA.

Infrastructure and Physical Security

When we selected an infrastructure provider, we drew on our technical team’s experience in developing and operating market-leading cloud services. This enabled us to build in security and availability at every layer, from physical security to computer, network, and storage. We supplement our technical measures with well-defined security and access policies, and prove our security using ongoing third-party audits and certification.

  • We protect your data throughout our infrastructure, including computer, storage, and network transmission.

  • Our connection with your ERP system is read-only.

  • We require that all of our vendors meet our data protection standards.

  • We continuously monitor the health of our service and show customers those metrics via this portal:

  • Compliance and Security Team

    We have a team dedicated to our compliance with industry standards and the security of our platform. We use a multi-layered approach to ensure our code is developed in a secure manner using shift-left principles and follow Secure Software Development Lifecycle (SDLC) based on best practice standards such as OWASP and Microsoft SDL. Our focus on security and compliance extends from the Compliance and Security teams to the entire company via a training program against outside attacks like phishing, and tests them regularly to ensure compliance.

  • Employees and contractors agree in writing to comply with our security controls.

  • We run background checks of all employees and contractors with access to customer confidential information.

  • Our compliance team instills security into our culture via regular security awareness training sessions and by testing employees to ensure compliance.

  • By limiting production access to those who need it and regularly monitoring access, we minimize access points and operational risk.

  • Secure Development Lifecycle

    With any new development, our team has security top of mind. We perform security testing throughout coding, testing, and deployment. Our internal security team works with independent external security researchers to validate our software security.

  • Our engineers and developers work according to current industry standards on secure programming and code review.

  • Our platform security is regularly reviewed by peers, in-house security researchers, and third-party security assessors.

  • Our software development lifecycle includes more than 60,000 tests.

  • Our internal penetration testing team continually audits source code per OWASP standards to measure source code integrity.

  • Secure Customer Data

    FloQast’s data protection meets industry standards. It complies with requirements and is tailored to meet privacy laws, including General Data Protection Regulation (GDPR) and California Privacy Rights Act (CPRA). Our encryption technology protects customer data both at rest and in transit to the user’s browser, leaving no weak spots for attackers.

  • We encrypt your data at the data field and file level, ensuring we safeguard all of your sensitive financial information.

  • We protect every customer individually, isolating your data to ensure the highest degree of security and trust.

  • We utilize Amazon’s FIPS compliant key management service configured to meet the highest industry standards.

  • We adhere to a robust vulnerability management program built from best practice frameworks, ensuring our corporate environment, cloud infrastructure, and application follow strict patching SLAs.

  • Application Security

    We run vulnerability scans continuously — daily, not weekly or monthly. To support our internal security, we also work with third party security auditors to ensure our processes follow industry standards.

  • We test business critical applications before they are deployed.

  • Our infrastructure is regularly subject to penetration testing.

  • We always perform code reviews and use static analysis tools to ensure high code quality in our applications.

  • We rely on Infrastructure-as-Code to ensure high consistency across our environments.

  • If you believe you’ve discovered a security-related issue, please contact us at [email protected].

  • SOC 1 Type II

    FloQast has certified its systems annually to AICPA SOC 1 Type II since 2016, successfully auditing the controls relevant to user entities’ internal control over financial reporting.

    SOC 2 Type II

    FloQast has certified its systems to AICPA SOC 2 Type II, successfully auditing the operational and security processes of our service and our company.


    You can learn more and download FloQast’s DPA at

    ISO 27001

    ISO 27001 demonstrates that FloQast has invested in the people, processes, and technology to protect your organization’s data and has been certified in doing so by an independent, expert assessment of whether FloQast data is sufficiently protected.


    You can learn more and download FloQast’s DPA at