Built for trust from day one
FlowFn is the place where your business logic, customer data, and AI usage meet. We treat that responsibility seriously — here is how.
We don't use your data to train AI
FlowFn doesn't build or train AI models — we route requests to commercial AI providers (OpenAI, Anthropic, Gemini, etc.) whose paid APIs don't train on customer data. Your workflows, prompts, files, form submissions, and run outputs are never sold, licensed, or used to train AI models.
AES-256-GCM encryption
Credentials, OAuth tokens, API keys, and any field you mark sensitive are encrypted at rest. Workflow secrets are decrypted only inside the execution sandbox at run time.
Passwordless sign-in
Email-OTP login by default, with optional TOTP-based 2FA. No password to phish, reuse, or leak. Session cookies are HttpOnly and short-lived.
Frameworks we comply with
FlowFn is operated by FLOW FN PTE. LTD., a Singapore-incorporated company. We publish a versioned set of legal and compliance documents at /legal — the summaries below link straight to each one.
GDPR
Full compliance statement covering EEA / UK rights, 30-day DSR response window, and 72-hour breach notification.
CCPA
California rights, opt-out routing, and a no-sale commitment for personal information.
PDPA
Singapore PDPA compliance with DPO contact and 3-day PDPC notification on qualifying breaches.
WCAG 2.1 AA
Accessibility statement aligned with the European Accessibility Act. Keyboard nav, screen-reader support, color contrast.
Data Processing Agreement
B2B controller/processor terms with 13-month audit log retention, sub-processor disclosure, and standard contractual clauses.
AI Disclosure
EU AI Act Article 50 transparency. AI use in FlowFn is always user-initiated, never silent.
How we run the service
The day-to-day stack: where data lives, who else processes it, how we handle incidents, and how to delete what you no longer want us to hold.
Data residency
AWS us-east-1 primary processing. Cross-border transfers covered by SCCs / UK IDTA / Swiss FDPIC / EU-US DPF / PDPA s.26.
Sub-processors
AWS (incl. SES), DigitalOcean (managed MongoDB), Redis Ltd. (managed Redis), Stripe, OpenAI, ipify, Google Analytics. BYOK third-party providers are governed by your direct contract.
Incident response
24-hour triage for suspected security incidents. 72-hour notification to affected users for GDPR-qualifying events; 3-day notification under PDPA.
Retention & deletion
Run history retention is plan-controlled. One-click purge for any workflow’s data. Full account deletion available from settings — irreversible after 30-day grace period.
Spot something? Tell us.
We take vulnerability reports and trust-and-safety concerns seriously. Reach the right inbox below — we respond fast.
Security vulnerabilities & trust reports
support@flowfn.com — vulnerability disclosures, abuse reports, and trust & safety concerns. CSAM is reported to NCMEC.
Data subject requests
Submit a data request — access, export, or delete your data.
Full document set in the Legal hub.