FlagDrop is designed so your sensitive data never has to leave your infrastructure.
FlagDrop pushes static config files to your own S3, GCS, or Azure Blob Storage bucket. Your SDKs read locally. No evaluation data is ever sent to FlagDrop servers — we are the control plane, not the data plane.
All communication between the FlagDrop dashboard and API uses TLS 1.3. Config files pushed to your cloud storage inherit your bucket encryption settings — AES-256 by default on all major cloud providers.
Authentication is powered by Clerk with SSO support. Role-based access control lets you scope permissions per project and environment. API keys are scoped to specific projects with configurable read/write permissions.
Every database query is filtered through PostgreSQL Row-Level Security policies. There is no application-level filtering to bypass — isolation is enforced at the database engine level.
We are actively pursuing SOC 2 Type II certification. FlagDrop is GDPR compliant by architecture — we process minimal personal data, and flag evaluation data stays entirely in your infrastructure.
Found a security issue? We take every report seriously. Please email us at security@flagdrop.io with details and we will respond within 24 hours.