Skip to main content

Security

Last updated: June 24, 2026

Overview

StatFlow is a hosted metrics platform operated by DoubleU Labs, LLC. This page summarizes how we protect your account and data. It is informational—not a contractual commitment. See our Terms of Service and Privacy Policy for legal terms.

We use layered controls: authentication and authorization on sensitive actions, scoped API keys, protection for browser sessions, rate limits and plan enforcement on the server, and explicit opt-in before data is shared publicly or sent to third-party AI providers.

Platform

Programmatic access uses our public developer API with API keys. The web dashboard uses a separate application backend intended for StatFlow's own UI—not a documented integration surface.

Account metadata (users, billing, alerts, dashboards) and metric time series are stored in separate databases. Access to your data is scoped to your account.

Authentication

Dashboard sign-in uses secure, HttpOnly session cookies with short-lived credentials. Passwords are hashed with bcrypt and never stored in plain text. Google single sign-on is available as an alternative to a password.

Login, registration, and password-recovery flows include rate limiting and lockouts after repeated failed attempts. Where practical, error messages are generic to reduce account enumeration.

API keys

Server-side integrations authenticate with Bearer API keys. Keys are shown in full only once at creation; we store a one-way hash, not the secret. Keys can be scoped to read and/or write access, revoked at any time, and optionally given an expiration date.

Authorization and teams

Every request that reads or changes your metrics, alerts, dashboards, or billing is checked against your account. On Team plans, roles limit who can manage billing, settings, and team membership.

Plan limits—stats, data volume, alerts, seats, retention, and AI usage—are enforced by the API, not only in the UI.

Browser and session safety

State-changing dashboard requests use CSRF protection. API key requests use the key directly and do not rely on browser cookies. We apply standard HTTP security headers on web responses, including HTTPS enforcement in production.

Rate limits and abuse prevention

The developer API applies separate read and write limits that scale with your plan. Ingest and query endpoints also cap request size. Monthly data-point and AI usage quotas are enforced server-side.

When limits are exceeded, the API returns an error with guidance to retry later. Plan-specific throughput and quotas are documented in Documentation → Rate Limits.

Data protection

  • TLS/HTTPS for production traffic
  • Passwords and API key secrets protected as described above
  • Payment cards are handled by our payment processor—we store subscription status, not full card numbers
  • Metric retention follows your plan; older data may be permanently removed

Public sharing

Public dashboards and embeddable charts are opt-in. Anyone with a public link can view the metrics you expose. Review what you publish and turn off public access when it is no longer appropriate.

Alerts and webhooks

Alerts can be delivered by email or to HTTPS webhooks you configure. Outbound webhook delivery restricts unsafe destination addresses. You are responsible for ensuring destinations are authorized to receive your alert payloads.

AI features

AI capabilities require a qualifying plan, platform enablement, and an account-level opt-in in Settings → AI. When enabled, relevant metric context may be sent to third-party inference providers to generate summaries and suggestions.

AI output is probabilistic—review it before acting. Disabling AI stops new processing; see our Privacy Policy for how prior provider transmissions are handled.

Logging

We log security-relevant events such as authentication failures and API abuse. Access logs are retained for a limited period unless needed for an investigation. We do not log passwords, API key secrets, or full payment details.

Operations

Production secrets are managed outside application source code. We monitor dependencies for known vulnerabilities and patch through normal releases. Operators with production access use multi-factor authentication.

Vendors that process data on our behalf are listed in our Subprocessor Register.

Reporting issues

If you believe you have found a vulnerability, please report it to support@doubleulabs.com. Include steps to reproduce and expected impact. Please allow us time to investigate before public disclosure.