Security & Help

DMFlow is built on Meta's official API. Your account safety is our top priority.

Meta Certified Tech Provider
TLS 1.3 Encrypted
AES-256 at Rest
No Password Storage
GDPR Compliant
How we protect your account
Enterprise-grade security used by 14,000+ creators.

Official Meta OAuth Only

We never ask for your Instagram password. Connection happens exclusively via Meta's secure OAuth 2.0 flow — the same system used by Facebook and Instagram themselves.

Encrypted Token Storage

Your Instagram access token is encrypted at rest using AES-256 before being stored. Even our own engineers cannot read your access tokens in plain text.

Minimal Permissions

We request only the Instagram API scopes strictly needed to run your automations. We request no access to your personal DM history or account credentials.

Data Portability

You can export all your data (leads, automation logs, contacts) at any time. Your data belongs to you — not to us.

Rate Limit Compliance

DMFlow respects Instagram's API rate limits and usage policies. We never send more DMs than Instagram allows, protecting your account from restrictions.

Audit Logs

Every automation action is logged with timestamps. You can see exactly what DMFlow did on your behalf from your dashboard's activity log.

Security FAQ
Yes. DMFlow is a certified Meta Tech Provider using Instagram's official Graph API. We are not a bot or third-party scraper. Meta has reviewed and approved our API usage. Accounts using DMFlow are fully protected as long as you follow Instagram's Community Guidelines.
Never. We connect exclusively through Meta's official OAuth system. You log in to Instagram directly on Meta's servers — DMFlow never sees, handles, or stores your password. We receive only a secure API access token.
Go to Instagram → Settings → Security → Apps and Websites → find DMFlow → Remove. This immediately revokes our access token. Alternatively, you can disconnect from within your DMFlow dashboard settings.
All data is stored on AWS servers in the EU (Frankfurt region). We use SOC 2 compliant infrastructure. All data is encrypted at rest (AES-256) and in transit (TLS 1.3).
If you delete your DMFlow account, we permanently delete all your personal data within 30 days. Billing records are retained as required by law (typically 7 years). You can request an export of your data at any time before deletion.
We have a responsible disclosure programme. If you discover a security vulnerability, please email security@dmflow.app. Do not publicly disclose the issue until we have had a chance to investigate and patch it. We aim to respond within 24 hours.

Need help or have a security concern?

Our team responds within 2 business days. For urgent security issues, email security@dmflow.app.

Email Support Report Security Issue