Security & Compliance
Reliable background jobs, simplified. Your data is protected with enterprise-grade encryption and access controls from day one.
Built for teams that can't afford downtime — or data leaks
CronFlow was architected with security as a first-class concern. Every cron schedule, execution log, and payload is encrypted at rest with AES-256 and in transit via TLS 1.3. Our infrastructure is independently audited, and our role-based access control (RBAC) system lets you define exactly who can create, modify, or trigger jobs across your organization.
Whether you're processing payment webhooks for a fintech startup or orchestrating nightly ETL pipelines for a healthcare data warehouse, CronFlow gives you the visibility and governance your security team expects. Below is a breakdown of the compliance frameworks we meet, the encryption standards we enforce, and the access controls available to every plan.
Compliance at a glance
SOC 2 Type II
CronFlow completed its SOC 2 Type II audit in Q3 2024, conducted by independent auditor Deloitte LLP. The report covers all five Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. Your organization can request the full report through your account portal after signing an NDA.
ISO/IEC 27001:2022
Our information security management system (ISMS) is certified under ISO 27001:2022 by BSI Group. Certification scope includes all CronFlow infrastructure, development pipelines, and customer support operations. Annual surveillance audits are conducted every 12 months without exception.
GDPR & Data Residency
CronFlow acts as a data processor under GDPR Article 28. We execute a Data Processing Addendum (DPA) with every EU-based customer and support data residency in EU-West (Frankfurt) and US-East (N. Virginia) regions. Personal data is never transferred outside your selected region without explicit consent.
HIPAA BAA Available
For healthcare customers handling PHI, CronFlow offers a Business Associate Agreement (BAA) on Enterprise plans. Our HIPAA-compliant configuration disables public webhook endpoints, enforces field-level encryption on job payloads, and retains audit trails for a minimum of six years.
How we protect your cron data
AES-256 Encryption at Rest
All job definitions, execution histories, and webhook payloads are encrypted using AES-256-GCM before being written to our PostgreSQL and Redis clusters. Encryption keys are managed through AWS KMS with automatic rotation every 90 days. Key material never leaves the KMS boundary — our application servers never hold plaintext keys in memory beyond the duration of a single request.
TLS 1.3 in Transit
Every connection to CronFlow's API and dashboard is protected by TLS 1.3 with forward secrecy. We enforce HSTS with a max-age of 31536000 seconds and reject any connection attempting to downgrade to TLS 1.2 or below. Our certificate authority is DigiCert, and certificates are auto-renewed via ACME protocol.
Role-Based Access Control (RBAC)
CronFlow's RBAC system supports five built-in roles: Owner (full workspace control, billing, member management), Admin (create/modify/delete jobs, manage webhooks), Developer (create and modify jobs, view execution logs), Viewer (read-only access to schedules and logs), and Service Account (API-only access with scoped tokens). Custom roles with granular permission matrices are available on Team and Enterprise plans.
Immutable Audit Logs
Every action in CronFlow — job creation, schedule changes, webhook edits, role assignments, and API key rotations — is recorded in an immutable audit log. Logs are append-only, cryptographically signed, and retained for 365 days on Team plans or 2,555 days (seven years) on Enterprise. Export to SIEM tools like Datadog, Splunk, or Sumo Logic is available via our audit log webhook.
SSO & SAML 2.0
Enterprise customers can enforce single sign-on through SAML 2.0 with identity providers including Okta, Azure AD, and OneLogin. Just-in-time provisioning creates CronFlow accounts automatically on first login, and group mappings sync roles in real time. Forced logout is supported — when a user is deactivated in your IdP, their CronFlow session terminates within 60 seconds.
Vulnerability Disclosure Program
We maintain an active bug bounty program through HackerOne. Our security team has responded to over 140 responsible disclosures since 2022, with an average triage time of 4.2 hours and a median resolution time of 38 hours. Critical and high-severity findings are eligible for payouts up to $15,000. See our full disclosure policy at security.cronflow.io/disclose.
Ready to secure your background jobs?
Start with a free trial — no credit card required. Upgrade to Team or Enterprise when you need SSO, custom RBAC, or a signed DPA.
Start Free Trial Talk to Security Sales