Section 1: Our Security Philosophy
Headline: Security is not a feature. It is our foundation.
Body:
At Fluide, trust is earned through transparency, control, and accountability. Fluide Business is designed as one connected workspace where people, payroll, books, stock, payments, finance, reports, workflows, documents, and trust data work together under explicit permissions.
We do not assume that every user should have access to everything. Instead, we build systems where:
Access is explicit - every role is assigned deliberately.
Actions are logged - sensitive activity is recorded for accountability.
Controls are client-led - you decide the rules, and we enforce them.
Our security architecture follows the principle of least privilege. Users and Virtual Managers receive only the access necessary to perform authorized functions.
Section 2: Key Security Features
Headline: Enterprise-grade controls built for every organization.
Role-Based Access Control (RBAC)
Define custom roles or use pre-configured role templates. Assign permissions at the capability, workflow, record, or data-field level.
Examples:
HR Manager - can view staff records but cannot edit payroll unless authorized.
Finance Officer - can prepare invoices but cannot approve payments unless assigned.
Virtual Accountant - can view books and prepare reports but cannot submit or approve without permission.
Approval Workflows
Design multi-step approval processes for sensitive actions. Require one, two, or more approvers based on transaction value, workflow type, or risk level.
Examples:
Payroll run - requires HR Manager approval and Finance Director approval.
Expense claim above a defined threshold - requires department head approval.
Supplier payment - requires maker-checker review.
Maker-Checker Controls
For high-risk operations, including payments, payroll, configuration changes, and bulk data exports, Fluide Business can require two different users: one to create or initiate, and another to review and approve.
Audit Logs
Every important action can be recorded with:
Who performed the action.
What action was taken.
When it happened.
Which record or workflow was affected.
IP address and device information where available.
Audit logs support internal review, regulatory review, dispute resolution, and accountability.
Action History
View a timeline of changes to key records, including creation, edits, approvals, submissions, rejection, deletion, and export activity.
Document Permissions
Control who can view, download, upload, delete, or share documents attached to HR files, contracts, invoices, grant reports, payroll records, board packs, and other workspace records.
Capability-Level Access
Beyond role-based access, Fluide Business supports fine-grained permissions:
View only vs. edit vs. delete.
Create drafts vs. submit for approval.
Approve vs. reject.
Export vs. view only.
Client-Controlled Virtual Manager Permissions
When you hire a Fluide Certified Virtual Manager, you decide exactly what they can and cannot do.
| Access Level | Description |
|---|---|
| View Only | Can view authorized data and prepare observations, but cannot modify anything. |
| Prepare Only | Can create drafts but cannot submit or approve. |
| Submit for Approval | Can prepare records and submit them to a client administrator for approval. |
| Limited Operator | Can perform selected tasks below approved thresholds. |
| Full Capability Manager | Can operate selected connected capabilities but not the entire workspace. |
| Admin Delegation | Highest-risk access. Requires strict approval, audit logging, and appropriate contract controls. |
You can revoke any Virtual Manager's access. Every action is logged and visible to authorized administrators.
Data Export Controls
Restrict who can export data. Require approval for bulk exports. Log exports and related destination information where available.
Sensitive Action Approvals
Define which actions require additional approval, including:
Deleting financial records.
Exporting employee personal data.
Changing workspace configuration.
Approving large payments.
Adding new administrators.
Section 3: Data Protection
Headline: Your data is protected, backed up, and never sold.
| Protection Layer | Implementation |
|---|---|
| Encryption in transit | TLS for data transmitted between your browser and Fluide systems. |
| Encryption at rest | Encryption for stored data, databases, and backups where appropriate. |
| Backup and disaster recovery | Automated backups and recovery procedures designed to reduce data loss risk. |
| Data segregation | Multi-tenant architecture with logical separation between client workspaces. |
| Retention and deletion | Data retained according to client instructions, legal requirements, backup cycles, and applicable retention rules. |
You own your Client Data. Fluide does not claim ownership or sell Client Data to third parties for their own marketing purposes.
Section 4: Compliance and Standards
Headline: Built to support responsible compliance.
Fluide Business is designed to support organizations that need structure, auditability, privacy, and responsible data handling.
We align our practices with applicable Cameroonian laws, relevant OHADA-aligned requirements where adopted, GDPR obligations where applicable, and industry-recognized security principles.
For regulated services such as banking, lending, payments, insurance, protection, pension, capital, or investment products, Fluide works through duly licensed partners where required and subject to applicable laws and regulatory requirements.
PCI DSS: Fluide does not store full payment card details. Payment processing is handled by appropriate payment processors or licensed partners where applicable.
Independent reviews and additional security documentation may be available to enterprise clients subject to confidentiality requirements.
Section 5: Virtual Manager Security
Headline: Certified experts, permissioned access, full accountability.
Because Virtual Managers are independent professionals, Fluide Business uses a dedicated trust framework:
Identity verification before certification where applicable.
Fluide certification and training on security, ethics, and platform use.
Service agreements and confidentiality obligations.
Permissioned access only, defined by the client.
No default or hidden access.
Client approval before workspace access.
Action logs visible to authorized client administrators.
Issue reporting to Fluide security and support channels.
Access revocation by the client.
Trust Line: Clients stay in control. Virtual Managers only access what they are authorized to manage.
Section 6: Infrastructure Security
Headline: Secure by design, hardened by practice.
| Area | Measure |
|---|---|
| Hosting | Secure cloud infrastructure with reputable providers in compliant regions selected according to client, regulatory, and operational requirements. |
| Network security | Firewalls, network segmentation, DDoS protection, monitoring, and threat detection where applicable. |
| Production access | Strictly limited to authorized personnel with security controls and logging. |
| Vulnerability management | Regular security testing, vulnerability scans, patching, and remediation processes. |
| Patch management | Critical security patches are prioritized based on severity and risk. |
| Secrets management | API keys, passwords, certificates, and sensitive configuration are protected and not stored in public code. |
Section 7: Incident Response
Headline: Prepared for the unexpected.
Fluide maintains incident response procedures that include:
Detection through monitoring, alerts, user reports, and external threat intelligence.
Containment of affected systems or accounts where necessary.
Investigation and root cause analysis.
Eradication of threats and remediation of vulnerabilities.
Recovery from clean backups or secure system states where required.
Notification to affected clients where required by law or contract.
Post-incident review and security improvements.
Report a security issue: security@fluidegroup.com. PGP details are available upon request.
Section 8: Your Responsibilities
Headline: Security is a shared responsibility.
Fluide provides security controls, but Clients and users also play a critical role:
Use strong, unique passwords.
Enable multi-factor authentication where available.
Do not share account credentials.
Immediately revoke access for users, contractors, or Virtual Managers who no longer need workspace access.
Regularly review audit logs and permissions.
Keep administrator and security contact information up to date.
Ensure you have appropriate authority, consent, and legal basis for personal data uploaded to the Service.
Fluide is not responsible for security incidents caused by compromised credentials, excessive permissions, unsafe devices, or failure to follow security best practices.
Section 9: Third-Party Security
Headline: We hold service providers and partners to appropriate standards.
Third-party service providers that process Client Data on behalf of Fluide are expected to:
Maintain confidentiality and data protection obligations.
Use appropriate technical and organizational safeguards.
Report security incidents where required.
Process data only as instructed and permitted.
We do not share Client Data with third parties for their own marketing purposes.