DMFLOW

Integration & Security Whitepaper

Last updated: February 6, 2026

This whitepaper details how DMFlow integrates with Instagram, how automations are executed, and the security controls that keep your connected account safe. Our approach is intentionally simple: official APIs, minimal data, and clear user control.

1. Official integration model

DMFlow uses the official Instagram Graph API and OAuth for all Instagram connections and automation actions. We never request your Instagram password and do not use unofficial scraping or browser automation. You can revoke access at any time by disconnecting.

2. OAuth flow

  • User is redirected to Instagram for authorization.
  • Instagram issues an OAuth access token.
  • Token is stored encrypted and used for API calls.
  • Disconnect revokes access immediately.

Scopes are limited to messaging and comment permissions required for the features you enable.

3. Webhooks

DMFlow subscribes to official webhook events (DMs and comments). Each webhook is validated, de-duplicated, and routed only to the correct integration. Events that do not match an active integration or automation are ignored.

  • Idempotency keys prevent duplicate processing.
  • Automation checks ensure only active workflows run.
  • Rate limits and cooldowns protect account health.

4. Automation execution

  • Triggers match on keywords, comments, or direct messages.
  • Plan limits are enforced before responses are sent.
  • Responses can be static or Smart AI.
  • Delays and continuation windows reduce spam-like behavior.

5. Data handling

  • Only required data is stored to run automations.
  • Message content is used solely for automation behavior.
  • Users can delete automations or disconnect at any time.
  • We minimize storage of message content where possible.

6. Security controls

  • Tokens encrypted at rest, transmitted over TLS.
  • Access controls and audit logs for sensitive actions.
  • Idempotency and deduplication for webhook safety.
  • Monitoring and alerting for anomalies.

7. Infrastructure & tooling

  • Authentication via Clerk.
  • Data and workflows managed with Convex.
  • Secure hosting, observability, and error tracking.

8. Trust commitments

  • We never request Instagram passwords.
  • We use only official Meta/Instagram APIs.
  • We provide clear controls to connect or disconnect.
  • We disclose how data is used in our Privacy Policy.