Data Policy

This Data Policy explains how Flow handles, stores, processes, and protects the data you entrust to us. We are committed to maintaining the highest standards of data management and security.

All customer data is stored in secure, SOC 2 Type II certified data centers located in the United States and European Union.

We use distributed storage systems with automatic replication across multiple availability zones to ensure data durability and availability.

Customer data is logically separated using tenant isolation to prevent unauthorized access between accounts.

We process your data only as necessary to provide our services and as described in our Privacy Policy.

Data processing activities include workflow execution, analytics generation, search indexing, and AI-powered features.

All data processing is performed on secure, access-controlled infrastructure with comprehensive audit logging.

Active account data is retained for the duration of your subscription plus 30 days after cancellation.

Workflow execution logs are retained for 90 days by default, with extended retention available on Enterprise plans.

Backup data is retained for 30 days and then permanently deleted.

You may request immediate deletion of your data at any time, subject to legal retention requirements.

We perform continuous backups of all customer data with point-in-time recovery capability.

Backups are encrypted and stored in geographically separate locations from primary data.

Our recovery time objective (RTO) is 4 hours and recovery point objective (RPO) is 1 hour for critical data.

You can export your data at any time through the platform's export functionality.

Exported data is provided in standard formats (JSON, CSV) for easy migration to other systems.

We provide API access to facilitate programmatic data export and integration with your existing tools.

We work with carefully selected third-party processors who meet our strict security and privacy requirements.

All third-party processors are bound by data processing agreements that comply with applicable data protection laws.

A list of our current sub-processors is available upon request.