Flowchestra – Trust & Security

Last updated: November 2025

At Flowchestra, trust and security are core to how we build our products and operate our business. We know customers rely on our platform to automate workflows, move data between systems, and interact with AI features. This Trust & Security Statement explains how we protect Customer Data, maintain platform integrity, and meet our security and compliance commitments.

This statement supplements (but does not replace) our Terms of Service, Privacy Policy, and Data Processing Addendum (DPA).

1. Security Overview

We maintain administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Data. Our security program is aligned with modern industry standards used by SaaS, automation, and AI-enabled platforms.

Key security elements include:

  • Encryption in transit (TLS 1.2+)

  • Encryption at rest (AES-256 or equivalent)

  • Access control and least-privilege security principles

  • Continuous logging, monitoring, and alerting

  • Robust incident response procedures

  • Vendor and sub-processor due diligence

  • Regular vulnerability scanning and security reviews

2. Encryption

In Transit

All connections to Flowchestra are encrypted using TLS 1.2+.

At Rest

Customer Data stored within our cloud infrastructure is encrypted using AES-256 or an equivalent industry-standard algorithm.

3. Access Controls

We use strict access controls to limit who can access Customer Data.

  • Employee access is restricted based on job role and least-privilege principles.

  • Administrative access to production systems requires multi-factor authentication (MFA).

  • Access is logged, monitored, and periodically reviewed.

  • Engineers access Customer Data only when necessary for support, troubleshooting, or security.

Customer administrators are responsible for managing user access within their own accounts.

4. Secure Development & Deployment

Flowchestra follows a secure development lifecycle that includes:

  • Code review requirements

  • Static and dynamic analysis

  • Dependency monitoring

  • Segregated development, staging, and production environments

  • Automated testing and continuous integration/continuous deployment (CI/CD) pipelines

Changes to production systems follow documented approval and testing processes.

5. Monitoring & Logging

We maintain logs across our infrastructure for:

  • Authentication events

  • API usage

  • Workflow execution

  • Integration activity

  • Error and performance tracking

  • Administrative access

We use automated systems to detect unusual or suspicious activity and alert our team.

6. Vulnerability Management

We regularly assess our systems using:

  • Automated vulnerability scanning

  • Third-party security tools

  • Patch management processes

  • Industry-standard dependency scanning

Security patches are applied based on severity and impact.

We may engage independent penetration testers periodically, subject to resource and risk prioritization.

7. Incident Response

Flowchestra maintains an incident response program designed to quickly detect, investigate, and respond to potential security incidents.

If we confirm unauthorized access to Customer Data, we will notify affected customers within a reasonable time period and:

  • within any legally required timeframe (e.g., 72 hours), and

  • for incidents not subject to shorter statutory deadlines, reasonable time period of confirmation.

We will provide available details and work to mitigate impact. Notification does not constitute an admission of fault.

8. Data Residency & Storage

Customer Data is stored in geographically distributed cloud infrastructure operated by reputable cloud providers.

Primary processing locations are in the United States unless otherwise agreed through an Enterprise contract.

Enterprise customers may request region-specific data residency options.

9. Sub-Processors

Flowchestra uses carefully selected third-party sub-processors to provide hosting, AI model processing, monitoring, analytics, support, and other operational functions.

All sub-processors are required to:

  • meet security and confidentiality obligations

  • implement appropriate technical and organizational controls

  • process data only for authorized purposes

A list of sub-processors is maintained on our website and updated as needed.

10. AI Model Providers

Some features rely on third-party AI model providers such as OpenAI, Anthropic, or Google.

Key protections:

  • We send only the minimum data required for the AI task.

  • Customer Data is not used by Flowchestra or our AI providers to train shared models.

  • AI providers process data under strong confidentiality and security requirements.

  • Customer maintains complete control over workflows that use AI features.

For more information, see our Terms of Service and Privacy Policy.

11. Compliance

Flowchestra’s security program is designed to support compliance with:

  • GDPR (with SCCs and a DPA) (pending)

  • CPRA/CCPA

  • SOC 2 readiness (audit planned as product matures)

  • Common U.S. security and privacy expectations

  • Industry best practices for SaaS and automation platforms

We make security documentation available to customers under NDA upon request.

12. Customer Responsibilities

Security is a shared responsibility. Customers are responsible for:

  • Managing and securing user access to their accounts

  • Using strong authentication credentials

  • Configuring workflows and integrations safely

  • Ensuring data they process is lawful and permitted

  • Keeping Customer-owned systems secure

  • Reviewing logs and alerts available in the platform

Customers should promptly report suspicious activity to security@flowchestra.com.

13. Reporting Security Concerns

If you believe you have found a security vulnerability or incident involving Flowchestra, contact us immediately at:

security@flowchestra.com

Include as much detail as possible so we can investigate.
We ask researchers to avoid tests that could impact customers or the Service.

14. Updates to This Statement

We may update this Trust & Security Statement to reflect improvements to our security program or changes in law.
If changes are material, we will notify customers by email or in-app.

15. Contact Information

Byte Size Innovations LLC
Attn: Security Team
732 W Algonquin Rd
Arlington Heights, IL 60005
USA

Email: security@flowchestra.com