All legal documents
Legal & Compliance
Sub-Processors
Version1.0UpdatedJun 26, 2026Reading time7 min read
1. About This List
This page lists the third-party service providers ("sub-processors") that FLOW FN PTE. LTD. (UEN 202617303Z), a company incorporated in Singapore, engages to process personal data on behalf of customers of the FlowFn Service. This list is provided in accordance with our Data Processing Agreement and Article 28 of the EU General Data Protection Regulation. We will update this page when sub-processors are added or removed and, where required, notify customers in advance.
2. Infrastructure and Hosting
(a) Amazon Web Services, Inc. (AWS) — cloud compute, object storage (S3), content delivery (CloudFront), transactional email delivery (Simple Email Service), and related infrastructure. Primary processing region: AWS US East (N. Virginia) us-east-1, with disaster-recovery snapshots in the United States. AWS is self-certified under the EU-US Data Privacy Framework (and the UK Extension and Swiss-US DPF). Website: https://aws.amazon.com/compliance/gdpr-center/. (b) DigitalOcean, LLC — managed MongoDB database hosting. Primary processing region: DigitalOcean New York 3 (NYC3) — United States East Coast, in the same geographic area as our AWS us-east-1 deployment. DigitalOcean is bound by its Data Processing Agreement and the Standard Contractual Clauses incorporated into it for international transfers. Website: https://www.digitalocean.com/legal/privacy-policy. (c) Redis Ltd. (Redis Cloud) — managed Redis hosting used as the in-memory cache and background-job queue for our BullMQ worker system (enqueueing notifications, workflow run jobs and other asynchronous tasks). Primary processing region: AWS US East (N. Virginia) us-east-1 (Redis Cloud runs on AWS infrastructure of our choosing). Redis Ltd. is bound by its Data Processing Addendum and the Standard Contractual Clauses incorporated into it. Website: https://redis.io/legal/privacy-policy/. (d) Internet Security Research Group (ISRG), operator of Let's Encrypt — automated issuance and renewal of the TLS/SSL certificates that secure customer custom domains and per-playground subdomains served through our hosting edge (which itself runs on the AWS infrastructure described in (a)). When a visitor first connects to a customer-controlled hostname, our edge requests a certificate for that exact hostname from Let's Encrypt over the ACME protocol; the hostname being secured, together with the metadata needed to validate control of it, is transmitted to ISRG. ISRG is a California-based non-profit certificate authority; issuance is governed by its Subscriber Agreement and Privacy Policy. Website: https://letsencrypt.org/privacy/.
3. Payments
Stripe, Inc. (and its regional affiliates including Stripe Payments Singapore Pte. Ltd.) — payment processing, billing, invoicing, tax calculation, fraud prevention, and storage of payment-method data. Stripe acts as an independent controller for payment-card data under PCI-DSS. Website: https://stripe.com/privacy.
4. AI Model Providers (Platform-Managed)
FlowFn engages the following AI model providers as sub-processors for its built-in AI features. The provider used for a given request is determined by the model selected on your team's AI preferences. (a) OpenAI, L.L.C. — large language model inference (e.g. GPT-4o / GPT-5 family) and image generation. Website: https://openai.com/policies/privacy-policy. (b) Anthropic, PBC — large language model inference (Claude family). Website: https://www.anthropic.com/legal/privacy. (c) Google LLC — Gemini and Veo APIs for language, image, and video model inference. Website: https://policies.google.com/privacy. (d) X.AI Corp. — large language model inference (Grok family) via the xAI API. Website: https://x.ai/legal/privacy-policy. We engage these providers for: (i) the in-product AI Assistant (chat-style help inside the dashboard); (ii) the workflow Code Generator and workflow AI Assistance; (iii) the Playground AI assistant (chat-driven HTML / CSS / JavaScript authoring and data-sheet proposals inside Playgrounds); and (iv) workflow nodes that invoke a platform-managed model when your subscription plan includes platform-managed model access (in that case the call goes out under FlowFn's API key and FlowFn pays the provider). Each provider is engaged only on demand, when you or a workflow you have authored invokes one of those features. We send only the prompt, attached context, and any files you upload (including images attached to chat messages in the AI Assistant or Playground AI assistant) for that specific request; we do not use customer prompts or outputs to train these providers' models, and each provider is contractually prohibited from doing so under their enterprise terms with FlowFn. If you do not use the AI features no inputs are sent. Customers who configure their own provider API key on their team (BYOK) instead invoke that provider under their own contract; see Section 7 for how we treat customer-connected vendors. See our AI Disclosure for further detail.
5. Analytics and Product Telemetry
(a) Google LLC (Google Analytics 4) — aggregate website analytics on the marketing site only. Loaded only after you grant analytics consent through our cookie banner. Not used for users who decline analytics cookies. Website: https://policies.google.com/privacy. (b) Google LLC (Google Ads conversion measurement) — measures whether a marketing-site visit or signup followed one of our ads. Loaded on the marketing site only and only after you grant advertising & measurement consent through our cookie banner; configured for conversion measurement only — ad-personalization signals are denied and Google's ads-data redaction is enabled; we do not use remarketing or cross-context behavioural advertising. Website: https://policies.google.com/privacy. We do not currently use any third-party product analytics, session-replay, or behavioural-advertising vendor inside the authenticated dashboard.
5a. Security and Anti-Abuse
Google LLC (reCAPTCHA v3) — invisible, score-based bot and abuse detection on our unauthenticated entry points: account sign-up and sign-in, and public form submissions served from FlowFn-hosted origins (the /f/<slug> pages on flowfn.com or a <tenant>.flowfn.com subdomain — including the form iframe that embedded forms load from those origins). When one of these is submitted, reCAPTCHA sends the visitor's IP address, a reCAPTCHA cookie identifier, and interaction signals to Google and returns a risk score that we use to allow or reject the request; there is no visible challenge. Forms served on a customer's own custom (white-label) domain do not invoke reCAPTCHA — it cannot verify a third-party origin — and are instead protected by the per-form embed token, the allowed-domains list, and rate limiting. reCAPTCHA makes no call elsewhere in the product. Google acts as our sub-processor for this purpose, bound by its terms and the Standard Contractual Clauses incorporated into them; transfers are covered by the safeguards in §8. See also our Cookie Policy. Website: https://policies.google.com/privacy.
6. Communications (Transactional Email)
Amazon Web Services, Inc. (AWS Simple Email Service, "SES") — transactional and notification email delivery (account confirmations, password resets, billing receipts, sub-processor change notices, workflow alerts, and similar service messages). SES operates in our primary AWS region (US East / N. Virginia, us-east-1) under the same AWS sub-processor terms set out in §2 above. Website: https://aws.amazon.com/privacy/.
7. Customer-Connected Integrations and Bring-Your-Own-Key AI
When you connect a third-party tool to your workflow, that third party becomes an independent controller or processor for the data you send to it. Those vendors are configured by you using your own credentials (API key, OAuth token, database connection string, etc.), governed by your direct relationship with them, and are not listed as our sub-processors. We act on your documented instructions when we relay data to them. Two broad categories are available in the product: (i) communications, storage, and data tools (for example email senders, marketing platforms, and customer-managed databases); and (ii) bring-your-own-key (BYOK) AI service providers exposed as workflow nodes for tasks such as text, image, video, audio, and code generation. AI service providers in category (ii) are workflow tools, not FlowFn sub-processors: production use requires you to configure that provider's API key on your team, and the call goes out under your direct contract with the provider. The complete and current catalog of supported third-party tools (including AI providers) is published in the product, and the AI providers currently exposed as BYOK workflow nodes are also enumerated in our AI Disclosure for transparency.
8. International Transfers and Safeguards
FlowFn's primary processing region is in the United States East Coast: AWS us-east-1 (N. Virginia) for compute, S3 object storage, CloudFront and Simple Email Service; DigitalOcean New York 3 (NYC3) for managed MongoDB database hosting; and Redis Cloud (Redis Ltd.) running on AWS us-east-1 for in-memory cache and background-job queue. Personal data is therefore routinely transferred from the European Economic Area, the United Kingdom, Switzerland and Singapore to the United States. We rely on the following safeguards: (a) the European Commission's Standard Contractual Clauses (Module 2 Controller-to-Processor between FlowFn and customer-controllers, Module 3 Processor-to-Processor between FlowFn and our sub-processors); (b) the UK International Data Transfer Addendum and the Swiss FDPIC's amendments where applicable; (c) the EU-US Data Privacy Framework (and its UK Extension and Swiss-US DPF) where the relevant US recipient is self-certified; and (d) for transfers out of Singapore, Section 26 of the Singapore PDPA and the Personal Data Protection (Transfer of Personal Data Outside Singapore) Regulations 2014, on the basis that AWS, DigitalOcean, Redis Ltd. and our other sub-processors are bound by data-processing addenda that impose obligations comparable to the protection under the PDPA. Sub-processor agreements include data-protection terms equivalent to those in our Data Processing Agreement. We have performed an internal Transfer Impact Assessment for the United States East Coast transfer (covering AWS us-east-1, DigitalOcean NYC3 and Redis Cloud) and refresh it on material change.
9. Notification of Changes
We will update this page before engaging a new sub-processor or replacing an existing one. We send every active account holder advance notice by email at least 30 days before a new sub-processor begins processing personal data. This notice is a transactional service communication required by our Data Processing Agreement and by Article 28(2) of the GDPR / UK GDPR — it is not a marketing message and there is no opt-out, so even if you have opted out of marketing emails you will still receive these notices while you hold an account. Customers under a separate Data Processing Agreement will additionally receive notice through their DPA contact and may object in writing in accordance with the DPA. Any questions can be addressed to legal@flowfn.com.
10. Contact
Questions about this list, sub-processor security, or data transfers may be sent to our Data Protection Officer at legal@flowfn.com. General support: https://www.flowfn.com/dashboard/support.