Webauthor: All-in-one business applications

Webauthor Security

Enterprise-Grade Security & Compliance for the FLEX Platform

Security and privacy are core priorities for our platform. We operate our service using industry-standard security practices and continuously improve our controls as the platform evolves. Our infrastructure, development processes, and operational procedures are designed to protect customer data and ensure reliable service.

256

Bit Encryption

99.9%

Uptime SLA

24/7

Security Monitoring

Year Backup Retention

Compliance & Governance

Aligned with recognized industry frameworks

Our security program is guided by established frameworks and security best practices recommended by AWS. These frameworks guide the design of our policies, procedures, and operational controls.

SOC 2 Trust Services Criteria

Our controls align with SOC 2 Trust Services Criteria covering security, availability, and confidentiality of customer data.

NIST Cybersecurity Framework

Our policies and procedures are developed based on the NIST CSF (National Institute of Standards & Technology Cybersecurity Framework).

AWS Security Best Practices

Following AWS Well-Architected Security best practices for cloud infrastructure, network isolation, and operational security.

Cloudflare — Our First Line of Defense

Global edge protection against DDoS, bots, and malicious traffic

Every request to the FLEX platform first passes through Cloudflare's global edge network before it ever reaches our application servers. Cloudflare operates one of the largest networks in the world, with the capacity and intelligence to absorb and filter attacks at the edge — protecting our infrastructure from volumetric DDoS attacks, malicious bots, credential stuffing, and known exploit attempts before they ever touch our origin.

330+

Global Edge Locations

Traffic is filtered close to its source, not at our origin

388 Tbps

DDoS Mitigation Capacity

Capacity to absorb the largest recorded attacks on the internet

209B+

Threats Blocked Daily

Cloudflare blocks billions of malicious requests across its network every day

100%

Traffic Inspected

Every request is scored for bot likelihood and threat reputation

Always-On DDoS Protection

Layer 3, 4, and 7 DDoS attacks are automatically detected and mitigated at the edge. Volumetric floods, SYN floods, and application-layer attacks are absorbed by Cloudflare's network without impacting service availability.

Web Application Firewall (WAF)

Managed rule sets block OWASP Top 10 threats — SQL injection, XSS, command injection, and known CVEs — with continuously updated signatures maintained by Cloudflare's security research team.

Bot Management

Machine-learning-based bot scoring distinguishes legitimate traffic from automated abuse, blocking scrapers, credential-stuffing tools, and reconnaissance scans before they reach our application.

Rate Limiting & IP Reputation

Per-endpoint rate limits and IP reputation scoring stop brute-force attempts and abusive traffic patterns. Known-bad IPs are blocked using threat intelligence aggregated across Cloudflare's global customer base.

TLS Termination at the Edge

Modern TLS 1.3 is enforced at the edge with automatic certificate management, HSTS, and protection against protocol downgrade attacks.

Continuous Observability

Real-time analytics on blocked threats, attack vectors, and traffic patterns give our security team visibility into emerging threats and the ability to tune defenses on demand.

Defense in Depth: Cloudflare is the outermost layer of our security model. Even if a request makes it past the edge, it must still pass our AWS network controls, application-level authorization, and tenant isolation checks before reaching any data.

Cloud Infrastructure Security

Hosted on Amazon Web Services with enterprise-grade protections

Our platform is hosted on Amazon Web Services (AWS), a leading cloud provider with extensive physical and infrastructure security controls. Customer data is stored in AWS cloud infrastructure in controlled environments with strong access controls and encryption.

Secure Cloud Infrastructure

Operated within AWS data centers with physical security protection and highly available compute, network, storage, and database systems.

Network Isolation

Virtual private cloud (VPC) architecture with firewall and network access controls providing environment isolation.

Identity & Access Management

Role-based identity and access management with controlled infrastructure access and monitoring capabilities.

Infrastructure Monitoring

Comprehensive infrastructure monitoring and logging for visibility into operational security and system health.

Data Protection

Multiple layers of security controls

Encryption in Transit TLS
Encryption at Rest AES-256
Encryption keys held and maintained by Webauthor
Least-privilege access policies
Role-based access controls
Periodic access reviews
Secure credential management

Data Ownership: Customers retain ownership of their data. Customer data is only used to provide the service and is not sold or shared outside the platform. AWS does not have access to client data; it is encrypted with keys held by Webauthor.

Application Security

Integrated into development and deployment

Version-controlled source code repositories
Code review before deployment
Controlled deployment processes
Dependency vulnerability scanning
Regular patching and updates
Web application firewall (WAF)
DDoS protection & intrusion prevention

Pen Testing: Regular penetration testing and internal/external vulnerability and security testing programs are maintained to continuously validate defenses.

Monitoring & Operations

Detect and respond to potential security issues

Infrastructure & application logging
Security alerting & operational monitoring
Controlled administrative access
Incident response procedures
Vulnerability monitoring & remediation
Periodic independent penetration testing

Backup & Recovery

Service continuity and data resilience

System Backups

Full-machine images created weekly and on major changes

Database Backups

Daily full backups + incremental every 5 minutes

All backups encrypted in transit and at rest
Stored separately from production data
7-year retention policy
Quarterly recovery simulation/testing

Shared Responsibility Security Model

Understanding security responsibilities across all layers

The FLEX platform operates under a shared security responsibility model. With cloud-hosted applications, it is critical to understand which security tasks are handled by the cloud provider, by the software/service provider, by the implementation team, and by the client.

Amazon Web Services — Security of the Cloud

AWS provides the underlying infrastructure and services that FLEX is built on, including physical security of data centers, highly available compute, network, storage, and database systems.

Physical security protection of data center infrastructure
Highly available compute, network, storage, and database systems
Security of proprietary management platforms and provisioning systems
AWS does not have access to client data — encrypted with keys held by Webauthor

Webauthor — Application Security

As the developer and operator of the FLEX platform, Webauthor is responsible for multiple facets of application security:

Technical Components — Server operating systems, database infrastructure, network security, encryption, DNS, and development software
People — Governance of teams including training protocols, background checks, and data access policies
Data — Internal governance structure with strict access controls; all data encrypted in transit and at rest
Policies & Procedures — Formal IT policies governing change control, logical access, operations, and data communications based on NIST CSF
Data Communications — Secure web application firewall with DDoS protection, application control, and intrusion prevention
Maintenance — Patch management program to ensure all components are updated and protected

Implementation — Configuration Security

Webauthor configures and customizes the FLEX platform for each client, implementing client-specified security and privacy requirements, and providing training and support.

Client-specific security and privacy configuration
Identity management, access control, and data governance options
Secure data transfer protocols (file upload & API integration)
Security best practices for client connections and data in transit

Client — Data Security

Clients are responsible for the security of their specific FLEX instance, including areas that Webauthor cannot control:

Identification & Authentication — Passwords, MFA, credential handling; SSO integration (Azure AD, Google, Okta, etc.)
Access Controls — Permissions structure and access control matrix
Data Handling — Role-based rules including IP restrictions, geo-IP blocking, and data access procedures
Data Privacy — Informing the implementation team of specific privacy requirements
Incident Response — Maintaining an incident response program and meeting regulatory notification requirements
Endpoint Security — Patching, antivirus/EDR software, and device encryption

Tenant Isolation

Logical separation for every customer

Tenant-Aware Architecture

The platform is built using logical tenant isolation so each customer's data is separated within the application and database layers.

Cross-Tenant Prevention

Access controls prevent cross-tenant data access with strict authorization checks enforced at every layer.

Instance-Level Configuration

Each client is afforded the opportunity to implement the right level of data protection based on their unique requirements and risk tolerance.

Responsible AI Use

How FLEX uses AI — and how we protect your data when it does

AI is a powerful capability inside FLEX, but it is used deliberately and in two clearly defined ways. In both cases, we have designed the integration so that personal and sensitive data is protected, is never used to train third-party models, and is never exposed outside of agreements that govern its handling.

1. Metadata-Only Queries — Structured Q&A

When users ask AI to answer a question about their data, we do not send the underlying personal or sensitive data to the AI model. Instead, we send only metadata that describes the shape of the data:

Database schema (table and column names, relationships)
System configuration and setup
Form definitions — field names, labels, hints, and option lists
Available filters, dimensions, and report definitions

The AI returns a structured query that we then execute against our own database inside our secure environment. The actual records, names, contact information, and any other personal or sensitive content stay entirely within FLEX. The AI sees only the question and the map of where to look — never the data itself.

2. Sensitive Data Processing — Inside Our Secure Cloud

In the limited cases where AI does need to process personal or sensitive data directly — for example, summarization, extraction, or content generation involving customer records — we use AWS Bedrock or AI models covered by enterprise agreements with the model providers. This means:

Data stays in our AWS environment. When using Bedrock, requests and responses are processed inside AWS's secure infrastructure — the data never leaves the cloud boundary we already operate within.
Covered by a BAA. AWS Bedrock usage is covered under our AWS Business Associate Agreement, or under an equivalent enterprise BAA we maintain directly with the AI provider.
No training on your data. Under these agreements, prompts, inputs, and outputs are not used to train, fine-tune, or improve the underlying foundation models. Your data is used only to answer your request and is then discarded.
No exposure to other tenants or the public internet. Inference happens within an isolated, single-tenant context — your data is not shared with other customers, other Webauthor clients, or third parties.
Encrypted end-to-end. Data sent to and from the model is encrypted in transit and at rest, consistent with the rest of our platform.

The bottom line: For day-to-day AI features, your data simply isn't sent to the AI at all — only metadata is. When AI must see real data, it is processed inside a BAA-covered, enterprise-grade environment where the data is not retained, not used for training, and not exposed.

Compliance Roadmap

Continuous maturity as the platform and customer base grow

Near Term

Formalize & Document

Formalize governance and security policies. Expand internal security documentation. Conduct annual penetration testing.

Mid Term

Risk Management & Monitoring

Establish formal risk management processes. Improve centralized security monitoring and detection capabilities.

Long Term

Audit & Assurance

SOC 2 Type I or Type II audit consideration. Expand compliance reporting and governance maturity across the organization.

Have Security Questions?

Security is an ongoing process. As our platform and customer base grow, we continue to enhance our security program. Contact our team for additional information or to discuss your specific requirements.

Get in Touch

Sales & Partnerships
+1 888-288-2294
sales@webauthor.com

Technical Support
24/7 Support Available
support@webauthor.com

Security Practices

NIST CSF Aligned

SOC 2 Criteria

AWS Best Practices

Key Highlights

End-to-End Encryption

Shared Responsibility Model

Continuous Improvement

Webauthor: Security & Privacy by Design
© 2025 Webauthor Corporation. Maintaining a reliable, secure, and trustworthy platform for all customers.