Built for trust from day one
FlowFn is the place where your business logic, customer data, and AI usage meet. We treat that responsibility seriously — here is how.
We don't use your data to train AI
FlowFn doesn't build or train AI models — we route requests to commercial AI providers (OpenAI, Anthropic, Gemini, etc.) whose paid APIs don't train on customer data. Your workflows, prompts, files, form submissions, Data Sheet rows, and run outputs are never sold, licensed, or used to train AI models.
AES-256-GCM encryption
Credentials, OAuth tokens, API keys, and any field you mark sensitive are encrypted at rest. Workflow secrets are decrypted only inside the execution sandbox at run time.
Passwordless sign-in
Email-OTP login by default, with optional TOTP-based 2FA. No password to phish, reuse, or leak. Session cookies are HttpOnly, Secure, SameSite=Lax, and hold only an opaque session reference — never your credentials or the API token.
Frameworks we comply with
FlowFn is operated by FLOW FN PTE. LTD., a Singapore-incorporated company. We publish a versioned set of legal and compliance documents at /legal — the summaries below link straight to each one.
GDPR
Full compliance statement covering EEA / UK rights, 30-day DSR response window, and 72-hour breach notification.
CCPA
California rights, opt-out routing, and a no-sale commitment for personal information.
PDPA
Singapore PDPA compliance with DPO contact and 3-day PDPC notification on qualifying breaches.
WCAG 2.1 AA
Partially conformant with WCAG 2.1 AA and aligned with the European Accessibility Act — keyboard nav, screen-reader support, color contrast, with ongoing improvements.
Data Processing Agreement
B2B controller/processor terms with 13-month audit log retention, sub-processor disclosure, and standard contractual clauses.
AI Disclosure
EU AI Act Article 50 transparency. AI use in FlowFn is always user-initiated, never silent.
How we run the service
The day-to-day stack: where data lives, who else processes it, how we handle incidents, and how to delete what you no longer want us to hold.
Content moderation
AI screens every published workflow, form, playground, and agent's authored content against the platform policy before it can be made public or embed-enabled. HIGH-risk verdicts auto-block; owners can appeal from a banner in the dashboard. Reuses one evaluator across all four surfaces so policy stays in lockstep.
Data residency
AWS us-east-1 primary processing. Cross-border transfers covered by SCCs / UK IDTA / Swiss FDPIC / EU-US DPF / PDPA s.26.
Sub-processors
AWS (incl. SES), DigitalOcean (managed MongoDB), Redis Ltd. (managed Redis), Stripe, OpenAI, Anthropic, Google (Gemini/Veo, Analytics, reCAPTCHA), and X.AI. BYOK third-party providers are governed by your direct contract.
Incident response
24-hour triage for suspected security incidents. 72-hour notification to affected users for GDPR-qualifying events; 3-day notification under PDPA. Live component status and incident history at status.flowfn.com.
Retention & deletion
Run history retention is plan-controlled. One-click purge for any workflow’s data. Full account deletion available from settings — irreversible after 30-day grace period.
Spot something? Tell us.
We take vulnerability reports and trust-and-safety concerns seriously. Reach the right inbox below — we respond fast.
Security vulnerabilities & trust reports
support@flowfn.com — vulnerability disclosures, abuse reports, and trust & safety concerns. CSAM is reported to NCMEC.
Data subject requests
Submit a data request — access, export, or delete your data.
Full document set in the Legal hub.