Security & privacy
Encryption by default. No ad-tech. EU-hosted. Full export. We think of privacy as a design constraint, not a compliance task.
Every Fluera notebook is encrypted at rest with AES-256 via SQLCipher. Traffic is TLS 1.3 in transit. Sync between your devices is end-to-end encrypted with keys derived from your passphrase — held in your platform keychain, never sent to our servers.
Every byte you write is exportable in a single click: PNG, JPEG, WebP, SVG, PDF, and our open .fluera format. Your notebooks live on your devices first. The cloud is a convenience, not a prison — lock-in is a business model we chose against.
Fluera is EU-hosted and GDPR-native. A Data Processing Agreement is available to any educational institution on request. Full data export and right-to-be-forgotten requests are honoured within 30 days (usually within 48 hours).
You can run Fluera fully offline. Sync is opt-in per notebook, not account-wide. If you turn sync off, your data never leaves the device — including telemetry, which is consent-based and anonymous.
For Education accounts, every access to shared notebooks is logged in an immutable audit trail, exportable for compliance reviews. Administrators can enforce SSO (SAML, OIDC) and MDM-managed deployments.
We don't run ads. We don't sell data. We don't train our models on your content. We don't track you across the web. We don't hand data to third parties beyond named sub-processors (Supabase, Vercel, Stripe) — all under DPA.
Responsible disclosure
Security researchers are welcome here. Report vulnerabilities to security@fluera.dev. We acknowledge within 24 hours, patch critical issues within 72, and credit reporters in our hall of fame unless you'd rather stay anonymous.
A PGP key for encrypted submissions is published on our GitHub.
Compliance & deployment
Universities, schools and research labs: we can walk you through our DPA, sub-processor list, SSO setup and the audit log model. Pilots typically start with one class, one semester, no charge.
Talk to us about deployment →This page covers the essentials. The full architecture, sub-processor register and DPA template live at /security/architecture and /security/sub-processors. Specific compliance questions? Write to security@fluera.dev.
