Region
Production runs on Supabase (Postgres + storage) in the customer's choice of US (us-east-1) or EU (eu-central-1). Each tenant lives in a region-scoped project; data does not cross regions for backups, replicas, or telemetry.
Procurement
Security & Procurement
Everything procurement, legal, and InfoSec reviewers typically ask about Flowcerta — in one place. If you need something that isn't here, tell us and we'll route it.
EU + USCustomer choice of region
SOC 2Type I in progress
≤ 24hInitial reply on procurement requests
Watch in 4 minutes
See what reviewers see
A short tour of how Flowcerta scans a workflow, surfaces risk findings against your policy pack, and produces signed audit evidence — without anyone needing to install or configure an agent.
Posture
How we handle your data
Flowcerta is a static-analysis platform. We read the workflow files you upload — XAML, JSON, package manifests — extract metadata, run rules, and store the result. We never connect to your Orchestrator or runtime systems unless you explicitly enable that integration.
In transit and at rest
TLS 1.2+ for every connection. Storage volumes and database snapshots encrypted at rest with AES-256, keyed by the cloud provider's KMS. Signing secrets (webhooks, audit-pack signatures) are generated server-side and only revealed once at creation time — we never store reversible copies.
Authentication & RBAC
Supabase JWT authentication; org-scoped roles (owner, admin, analyst, viewer); MFA required for owner-level actions on Pro and above. SSO via the customer's identity provider is available on the Pro and Enterprise tiers and can be enforced org-wide.
Row-level isolation
Every org-scoped table enforces row-level security on the database. Application code sets the org context per request via signed JWT claims and an X-Org-Id header that the middleware validates against the user's memberships.
Configurable per org
Default workflow-result retention is 90 days; configurable per org (Pro and Enterprise). Uploaded workflow files are stored for analysis and then purged on the schedule a customer sets. Audit logs of governance decisions are retained for the org's contractual retention window.
Short, listed list
Supabase (database, storage, auth), Stripe (billing), Resend (transactional email), Formspree (contact-form submissions), Vercel (marketing site hosting). No advertising or behavioural trackers. Full list with role + region is in the DPA.
Compliance
Materials reviewers usually ask for
We hand these out on first ask — no NDA required for the public posture statement; standard mutual NDA for the SOC 2 progress report and security questionnaire responses.
Data Processing Agreement (DPA)
Pre-filled GDPR-aligned DPA covering EU and UK transfers, Standard Contractual Clauses, and our short subprocessor list.
Request the current DPA →SOC 2 posture statement
Where we stand against the SOC 2 Trust Services Criteria today, what's in the Type I engagement, and the expected report timeline. Public version is free; full progress report is NDA-gated.
Request the SOC 2 status pack →Compliance control mapping
Public mapping of every Flowcerta governance rule to SOC 2, HIPAA, GDPR, and PCI DSS controls. Self-serve — no request needed.
Open the compliance page →Signed audit evidence export
Any Flowcerta org can generate a signed PDF (or JSON) snapshot of its governance posture from the dashboard. Hand it to an auditor or attach it to a vendor review. Signature is verifiable offline.
Read the audit-pack walkthrough →Security questionnaire responses
Pre-filled responses against the CAIQ and SIG Lite — we use them as a starting point and then complete the customer's own form on top.
Send your questionnaire →Privacy & cookie policies
The public-facing policies that govern visitors and end-users of the marketing site and dashboard.
Read the privacy policy →FAQ
Common procurement questions
Where is customer data stored?
In the customer's choice of US (us-east-1) or EU (eu-central-1) Supabase project. Backups, replicas, and telemetry stay in-region. EU-resident tenants are kept on the EU project end-to-end including transactional email routing.
What customer data does Flowcerta actually read?
The workflow files you upload (XAML, JSON, package manifests), plus the metadata Flowcerta extracts from them: activity inventory, variable/argument names, selector targets, connections, package dependencies. We do not read runtime data from Orchestrator or production bots. Files are stored encrypted and purged on the retention schedule the org configures.
Do you have a SOC 2 report?
SOC 2 Type I is in progress. Public posture statement is available today; full progress report is NDA-gated. We expect Type I in the current calendar year and will begin Type II evidence collection immediately after.
How is access to customer data controlled internally?
Production database access is scoped to two named engineers; all access is logged. We do not export, mine, or analyse customer workflow content for any purpose other than serving the customer — no training data, no benchmarks, no anonymised public statistics.
What happens to our data if we cancel?
Customers can export a signed audit pack of the org's state at any time from the dashboard. On cancellation, the org's data is retained for 30 days (so deletion can be reversed if cancellation was in error), then permanently deleted from primary stores and rotated out of backups within 90 days.
Do you accept our security questionnaire?
Yes. Send us the customer questionnaire and we'll return it with our standard responses overlaid in 5 business days or fewer for CAIQ / SIG-style forms. Custom forms vary.
Is on-premise deployment available?
On-premise is available on the Enterprise tier. The same Flowcerta application runs in a customer-managed environment, with audit-pack signing keys held by the customer.
Who do we contact for legal or security review?
legal@flowcerta.com for contracts and DPAs; security@flowcerta.com for questionnaires and SOC 2 materials. Both inboxes are monitored Mon–Fri; initial reply within one business day.
Pilot
Want to evaluate Flowcerta against your real workflows?
A pilot is a fixed-scope 2–4 week evaluation against a workflow inventory you choose. We help you import a representative sample, run the rules, and produce the artefact your reviewers need to make a yes/no call. No payment until you decide.
- Week 1 — kickoff, environment setup, sample import.
- Week 2 — full inventory scan and findings review.
- Weeks 3–4 — auditor walk-through with signed audit pack.