No marketing language. Here's exactly how FlowAI protects customer data, who touches it, and what compliance posture we're building toward.
The 6-page PDF procurement teams ask for on call #2. Covers SOC 2 roadmap, sub-processors, data handling, AI model practices, and incident SLAs.
All traffic runs over TLS 1.3. Older cipher suites are disabled. No plaintext channels to production systems.
All database storage uses AES-256 encryption. Neon PostgreSQL encrypts at the block-storage level β no configuration required on our side, enforced at the infrastructure layer.
Each customer's data is logically isolated by case_id and API key. No cross-tenant data access. Future roadmap includes single-tenant dedicated instances for enterprise accounts.
Service accounts are scoped to minimum required permissions. Database credentials are not shared between services. All secrets are injected at runtime via environment variables β never hardcoded.
Configurable data retention (30, 90, or 365 days). Deletion requests honored within 7 days. No training on customer data. DPA available on request.
Audit scheduled for Q3 2026 β report available to customers under NDA on request.
Twelve-month observation period begins after Type I closes. Type II report available under NDA.
Queued for enterprise accounts. Contact us to discuss timeline and whether it needs to be in your vendor packet.
For each KYC triage call: applicant name, document image URLs (ID, address proof, selfie). URLs are processed by OpenAI for extraction then discarded. We store extracted metadata β not the raw images β in the audit log.
Configurable per customer: 30, 90, or 365 days. Default is 90 days. After the retention window, records are automatically purged from the database.
Cryptographic shredding within 7 days of a written deletion request. Send requests to security@flowai.polsia.app with your case_id or account identifier.
Customer data is never used to train, fine-tune, or evaluate any model β ours or OpenAI's. We use OpenAI's zero-data-retention API endpoints where available. This is not optional; it is a hard architectural constraint.
The full list of third-party services that may process customer data. We keep this list short by design.
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Render | Compute / hosting | All application traffic | US (Oregon) |
| Neon | PostgreSQL database | Audit logs, triage records | US (AWS us-east-1) |
| OpenAI | Document extraction & risk scoring | Document URLs + extracted identity metadata (zero-retention endpoint) | US |
| Stripe | Billing only | Payment method data β no PII from triage flows | US |
| Postmark | Transactional email | Work email address (for lead/result delivery only) | US |
We will update this list when sub-processors are added. Customers on Growth and Scale plans can request 30-day advance notice of material changes.
Any security incident that touches customer data triggers customer notification within 24 hours of confirmed discovery. Notification includes scope, impact assessment, and remediation steps taken.
Real-time system status and incident history at status.flowai.polsia.app. Subscribe for email alerts on any service degradation.
P0 (data breach): 24h notification, immediate containment. P1 (service outage): public status update within 1h. P2 (degraded performance): status update within 4h.
P0 and P1 incidents result in a written post-mortem shared with affected customers within 5 business days. No blame, just root cause and prevention.
Vulnerability reports, deletion requests, incident questions
Standard DPA available for all paying customers. Subject: DPA Request
Our standard commercial agreement. Redlines considered for Growth and Scale plans.