Security by Design. Privacy by Default.
Explore the multi-layered security infrastructure, cryptographic protocols, role-based controls, and automated compliance tools that keep your enterprise knowledge secure.
1. Infrastructure Security & Secrets Management
Flora integrates natively with HashiCorp Vault to prevent credential leakage and enforce centralized configuration control.
All high-privilege credentials, including API keys (Google, OpenAI, Qdrant), database connection strings, and JWT signing keys, are queried dynamically at runtime.
Configuration files and codebase repositories contain no hardcoded secrets, using Vault-backed KV-V2 engine key-value mapping.
Secure AppRole or token authentication establishes verified API communication with Vault, validated automatically at startup.
Supports version-controlled secrets rotation, allowing operators to update system credentials without service interruption.
2. Identity, Authentication, & Two-Factor Authentication (2FA)
High-entropy session management and industry-standard cryptographic primitives secure user identities.
User passwords are encrypted using bcrypt, a salt-based slow-hashing algorithm. Even in a full db breach, hashes remain computationally secure.
Enforces minimum 8 characters, upper/lowercase letters, numeric digits, and special characters prior to database ingestion.
Google Authenticator-compatible Time-Based One-Time Passwords (TOTP) powered by cryptographically secure base32 seeds.
Sessions use HS256-signed JSON Web Tokens with immediate Redis-backed token revocation checking and local fallback memory caching.
3. Role-Based Access Control & Vector Segregation
Granular authorization extends to both relational records and semantic vector search payloads.
The system boots without default roles or hardcoded permissions. Access models are defined entirely by the administrators handling the deployment.
FastAPI permission guards intercept requests at the edge, rejecting unauthorized users before server queries initiate.
Vector search matches are compiled alongside real-time user permissions and payload-level metadata restrictions, ensuring users only retrieve cleared documents.
4. GDPR Compliance & Privacy Tools
Out-of-the-box endpoints and automated sanitization pipelines ensure compliance with strict privacy regulations.
The ingestion pipeline uses highly-optimized regex patterns to automatically redact sensitive information (emails, credit cards, phone numbers, IBANs, SSNs) with placeholders before logs or chats write to storage.
A single endpoint fully purges chat logs, deletes user-role scopes, and anonymizes access logs by scrubbing IP addresses and Nullifying User IDs.
Interactive audit logs allow users and administrators to export standard compliance records in machine-readable JSON or CSV format.
Captures legal basis and versioned metadata for data processing, providing a strict 'Consent Gate' blocking RAG queries until consent is granted.
5. Auditing, Rate Limiting, & Network Sovereignty
Network security policies guard against DDoS and protect data isolation.
Token bucket algorithms protect high-traffic API paths from denial-of-service and brute-force attempts.
All gateway logs track client IP addresses using secure header matching (x-forwarded-for and x-real-ip).
Flora is completely on-premise ready. No telemetry, logs, or conversational context ever leave your isolated network perimeter.
Need a compliance evaluation?
Our solutions engineers can provide full security checklists, vulnerability logs, and deployment manifests.