Can I upload client files through the public site?
No. The public early-access form is for firm contact and workflow details, not sensitive client documents.
Security and trust
Security at RequestFlow
A plain-language view of how RequestFlow is designed to handle document collection, what is live today, and what we do not claim.
RequestFlow is in beta. The public site currently collects early-access interest; it does not ask visitors to upload sensitive client documents. Before firms use RequestFlow for live client files, security documentation and customer terms should be reviewed with the firm owner or administrator.
Private checklist links
Server-side authorization
No unsupported certification claims
Current beta scope
The public RequestFlow site is a marketing and early-access surface. It accepts firm contact details and workflow context so we can follow up about beta access.
- Do not submit sensitive client documents through the early-access form.
- The public site does not currently provide a client upload workflow.
- Production customer use should be covered by the published security documentation, privacy notice, and customer terms in effect at that time.
Data storage location
The current beta-interest database is hosted by Supabase in us-west-2. RequestFlow will document production file-storage location before customers upload sensitive client documents.
- Beta-interest submissions are stored in Supabase Postgres.
- The public site also keeps a server-side JSONL fallback audit trail for successful submissions.
- If hosting or storage regions change, this page should be updated before relying on the new location.
Encryption details
The public site is served over HTTPS. Supabase documents that hosted projects are encrypted at rest by default; RequestFlow relies on that for the current beta-interest database.
- Browser traffic to request-flow.com uses HTTPS.
- Secrets such as API keys are kept out of public HTML and are held in server-side environment configuration.
- Additional product-level encryption details for client files should be documented before paid customer file use.
Access controls
RequestFlow is designed around private checklist links, server-side authorization, and firm-side controls, rather than public folders or unrestricted upload endpoints.
- The product model uses private checklist links for client upload flows.
- PIN and expiry controls are part of the planned client-link control surface.
- Firm roles and administrative access should be configured before a firm handles live client files.
Audit logs
RequestFlow is designed to make document collection status easier to inspect without forcing staff to reconstruct history from email threads.
- The product surface is designed for upload receipts and item status changes.
- Audit behavior should focus on operational events such as request creation, upload receipt, status changes, exports, and deletion actions.
- Audit logs should not expose plaintext secrets, client link fragments, PINs, or raw file contents.
Retention and deletion
The current beta-interest flow keeps submissions so we can follow up about early access and product fit. Customer data retention controls for live file use should be documented before general availability.
- Beta-interest records can be deleted on request.
- Production firm data should support customer deletion workflows and documented retention periods.
- Firms remain responsible for their own regulatory retention requirements and client consent practices.
Malware scanning
RequestFlow is designed to support malware scanning before firm download, but the current public interest form does not accept files and does not run client-file malware scanning.
- Do not interpret this page as a claim that all product uploads are currently scanned.
- Before firms upload live client files, malware scanning behavior should be documented as active, planned, or unavailable.
- Scanner outcomes should be visible enough for staff to avoid downloading files that require review.
Certifications and reviews
RequestFlow does not currently claim SOC 2 or ISO 27001 certification. It also does not make HIPAA compliance, IRS approval, or compliance-program replacement claims.
- Vendor certifications should be reviewed separately from RequestFlow's own controls.
- Security review materials can be expanded as RequestFlow moves from beta to production customer use.
- If a firm requires SOC 2, ISO 27001, HIPAA, or similar review before use, that requirement should be discussed before uploading client documents.
Current public-site providers
This table covers the public site and beta-interest flow. It is not a production client-file subprocessor list.
| Provider | Purpose | Current note |
|---|---|---|
| Supabase | Beta-interest database and Data API | Project region: us-west-2 |
| Resend | Signup notification email to RequestFlow | Used only when notification configuration is active |
| Google Analytics | Aggregate website analytics | Used for traffic and conversion measurement |
| RequestFlow hosting | Public website and capture endpoint | No public client-document upload flow today |
Security questions
Does RequestFlow claim SOC 2 or ISO 27001?
No. RequestFlow does not currently claim SOC 2 or ISO 27001 certification.
Is malware scanning active?
The product is designed to support malware scanning before firm download, but the public interest form does not accept files and does not run client-file malware scanning.
Where is beta-interest data stored?
The current beta-interest database is hosted by Supabase in us-west-2.
Need a security packet before using RequestFlow?
Use the early-access form and include your firm's review requirements. We will route security questions before any sensitive client-document workflow.