CodexFlowGet CodexFlow
Legal center

CodexFlow legal

Security

Security practices for checkout, payment processing, signed activation, payload delivery, access links, and reports.

ScopePoland / European Union
Version24 May 2026
CompanyNova Group Sp. z o.o.

This page explains the security practices and responsibilities related to CodexFlow, the website at https://codexflow.io, checkout, licensing, digital delivery, and customer access.

1. Operator and security contact

CodexFlow is operated by Nova Group Sp. z o.o., Żurawia 6/12 Lok. 745, 00-503 Warszawa, Poland.

Security contact: security@codexflow.io
Support contact: support@codexflow.io

2. Payment security

CodexFlow uses third-party payment processors such as Stripe and Worldline where enabled. Payment card details are entered into payment-provider flows and are handled by the relevant payment provider.

CodexFlow does not intentionally store full card numbers, card security codes, or complete payment authentication credentials on its own servers.

Payment providers may use fraud-prevention, authentication, device, transaction, and risk signals to protect payments and comply with payment-network and legal requirements.

3. Digital delivery security

CodexFlow paid digital delivery may use:

  • verified payment events before fulfillment;
  • protected customer access pages;
  • scoped and time-limited access links;
  • hashed access tokens in storage where applicable;
  • signed activation files;
  • payload manifests;
  • payload hashes and integrity metadata;
  • download and access logging;
  • access revocation where needed;
  • separation of paid payload files from public static directories.

These controls are designed to reduce unauthorized access, accidental exposure, license misuse, and delivery disputes.

4. Account and access security

Customers are responsible for protecting their own accounts, email inboxes, devices, repositories, access links, activation files, license materials, and secrets.

You should not share protected CodexFlow links, paid payload archives, activation files, account sessions, or license materials with unauthorized users. If you believe your access link, account, or license materials have been compromised, contact security@codexflow.io.

5. Data protection measures

CodexFlow applies administrative, technical, and organizational measures appropriate to the nature of its digital software and delivery operations. These may include:

  • HTTPS for website access;
  • restricted administrative access;
  • access controls for databases, payload storage, and operational systems;
  • logging of security-relevant events;
  • secure handling of payment-provider webhooks;
  • secret management practices for signing keys and provider credentials;
  • masking, hashing, or redaction of sensitive identifiers where appropriate;
  • limited access to operational records based on role and need;
  • separation between public website assets and protected paid materials.

No website or online service can guarantee absolute security, but CodexFlow aims to use reasonable safeguards for the type of service provided.

6. Customer responsibilities

Customers should:

  • keep repositories backed up;
  • remove secrets from logs before sending support requests;
  • protect API keys, private keys, credentials, and customer data;
  • verify checksums and signatures where provided;
  • review scripts and commands before running them;
  • keep local development tools and operating systems updated;
  • avoid running untrusted code in production environments;
  • use the correct license tier and avoid unauthorized sharing.

7. Responsible disclosure

Security concerns can be reported to: security@codexflow.io

Please include:

  • affected URL, endpoint, or product component;
  • steps to reproduce the issue;
  • impact assessment;
  • screenshots or logs with secrets removed;
  • your contact email.

Do not access, alter, delete, exfiltrate, disclose, or disrupt data that does not belong to you. Do not perform denial-of-service testing, social engineering, spam, phishing, physical attacks, or destructive testing.

CodexFlow does not offer a public bounty program unless one is separately announced in writing.

8. Incident communication

If CodexFlow identifies a security incident that affects customers or personal data, it will take appropriate steps based on the nature, scope, and risk of the incident. This may include containment, investigation, mitigation, customer communication, provider communication, and notification to authorities where required by law.

9. Third-party providers

CodexFlow may rely on third-party providers for hosting, database, file storage, email delivery, authentication, payment processing, analytics, consent management, security, and operational logging. Security of those services is also governed by the relevant provider’s own controls, terms, and security practices.

10. Contact

For security reports, contact: security@codexflow.io
For customer support, contact: support@codexflow.io