Skip to main content
FlowFn
IntegrationsTemplatesPricingDocsBlogSign inStart free
All documentation

Security and Privacy

UpdatedJun 15, 2026Reading time4 min read

How FlowFn protects your data

FlowFn is designed with security as a priority. Here is how your data, credentials, and workflows are protected.

Passwordless authentication

FlowFn uses passwordless OTP (one-time password) login. When you sign in, a verification code is sent to your email. There is no stored password to compromise. Sessions use JWT tokens with configurable expiration.

Login rate limiting

The OTP-request endpoint enforces two fixed-window counters on every login to defend against inbox flooding, account enumeration via timing, and brute-forcing the 6-digit code by requesting many fresh OTPs:

  • Per-IP — up to 5 OTP requests every 5 minutes. Stops a burst attacker hammering the endpoint from one address.
  • Per-email — up to 10 OTP requests every hour. Stops a slow attacker rotating IPs against a single target.

Both checks must pass; when either trips the response is HTTP 429 with a Retry-After header indicating how long to wait. The OTP code itself is also rate-limited at verification time (per-email attempt counter) — this request-side limiter is defence-in-depth.

Encryption

  • Secrets and API keys – Workflow environment secrets, platform tool OAuth tokens, AI provider API keys, and webhook secrets are encrypted at rest. Full key values are never returned in API responses.
  • Transport – All communication between your browser and FlowFn servers uses HTTPS/TLS encryption.

Team-based access control

All resources (workflows, apps, forms, connections) are scoped to teams. Only team members with the appropriate role (owner, admin, developer) can access or modify them. See Team Roles and Permissions for details on what each role can do.

OAuth connections

When you connect a third-party service (e.g. Google, Slack, Stripe), FlowFn uses standard OAuth 2.0 flows. Your credentials are exchanged for access tokens that are stored encrypted on FlowFn's servers. FlowFn never sees or stores your third-party passwords.

Webhook security

Webhook triggers use HMAC signature verification to ensure incoming requests come from the expected sender. Each webhook trigger has a unique secret generated by FlowFn. The platform validates signatures for known providers (Slack, Stripe, GitHub, GitLab, Shopify) and supports generic HMAC-SHA256 for others. See Triggering Workflows via Webhook.

File storage

Uploaded files and workflow artifacts are stored in AWS S3 with access controlled by pre-signed URLs. Files are not publicly accessible; time-limited signed URLs are generated on demand when you view or download them.

AI assistance data

When you use the AI chat, code-generation, or playground assistant, FlowFn stores an audit row for each request: your prompts, the model response, token counts, the model and provider used, and the credits charged. Image attachments are stripped to metadata only (filename and media type) before storage. These rows are used for billing reconciliation, abuse review, and debugging of model regressions.

Retention. AI assistance audit rows are deleted by a nightly purge once they exceed your plan's retention window. Defaults: Free 2 months, Student 2 months, Starter 3 months monthly / 6 months annual, Pro 6 months monthly / 12 months annual, Business 12 months monthly / 24 months annual. The window is configurable per plan; -1 disables the purge and is reserved for enterprise customers handling retention contractually.

Objecting to AI processing. Under GDPR Article 21 you can object to FlowFn processing your prompts through AI features. Submit an objection from My Account → Privacy Rights and pick AI assistance as the processing type. After that, the AI chat, code-generation, and playground assistant endpoints will return a forbidden response until you lift the objection.

Account deletion. When you delete your account, all AI assistance audit rows scoped to your user are removed as part of the data subject request sweep.

Exporting your data

You can request a full export of the personal data associated with your FlowFn account from My Account → Privacy Rights → Export My Data. The export runs in the background; we email you a time-limited download link (valid for 7 days) when it is ready. The archive includes your profile, teams, apps (including each app's subdomain and custom domain, if set), workflows, workflow runs, forms, form submissions, visualizers, visualizer data rows, playgrounds, playground data-sheet rows (including rows you've deleted but not yet permanently cleared), AI assistance audit rows, AI chat conversations, your privacy/processing restriction and objection records, notification preferences, AI provider preferences (the encrypted API key is intentionally excluded), and BYOK audit rows tied to your own agent or workflow runs (metadata only — request and response bodies are never logged). Billing details (credit ledger entries, plan history) are not included in this self-service archive — request them via the formal data-subject channel at /legal/dsr if you need them.

Rate limit. To prevent abuse and protect platform resources, the self-service export endpoint is limited to one request every 24 hours. If you request a new export inside that window AND your previous download is still available, we will re-send the existing link to your email without consuming the quota — useful if you lost the original email. If the previous export has expired we ask you to wait until the cooldown elapses, or to submit a formal data-subject request at /legal/dsr, which is processed by our DPO within the statutory window (30 days for PDPA/GDPR/UK GDPR, 45 days for CCPA/CPRA). This limit is consistent with GDPR Art. 12(5) (manifestly-excessive guard) and is more permissive than the CCPA's statutory twice-per-12-months ceiling.

Legal and compliance

FlowFn provides terms of service, privacy policy, and optional compliance documents including GDPR compliance, CCPA compliance, and a Data Processing Agreement (DPA). These are available at /legal in the app. Your acceptance of the current terms is recorded at signup and login.

Spotted an issue or have feedback?

support@flowfn.com
Back to docs hub →