FlowGraph stores an organization's operational knowledge, so trust is a product requirement, not a marketing page. This is the plain-language version of how the product handles data, written for the person who has to answer a security questionnaire. Everything here is true today; where something is planned rather than shipped, it says so, with a date.
Where your data lives
On your device, by default. FlowGraph is a local-first app. With no cloud feature configured — the default for anyone who just opens it — the app makes zero network calls for your content. Your graphs, cards, edges, documents, IFC models, run history, and settings live in your browser's local storage, with an optional mirror to a folder on your own disk. No account is required for this, and the anonymous local path never phones home.
Self-host if you prefer. FlowGraph ships as a small pip package you can run on your own machine or inside your own network, serving the same app from your own root. For teams that cannot use a hosted service at all, this is a supported path, not a workaround.
What our servers never see
- Your graph content — nodes, edges, documents, and models — unless you explicitly turn on a cloud feature such as sign-in, sync, or sharing.
- Your building models. IFC files are parsed in your browser with no upload; you can prove it by watching your network tab while you open one.
- Your AI provider keys in the local mode. They are stored on your device and sent only to the provider you chose. We do not see, proxy, or resell your inference unless you deliberately configure our proxy.
What does touch a server, and only then
We believe in naming the exceptions rather than hiding them. A request reaches a server only when you choose a feature that needs one: signing in, syncing or sharing a vault, routing AI through our optional proxy so keys can live server-side instead of in the browser, or sending a Revit or Navisworks file to Autodesk's cloud for 3D translation. Cloud 3D translation always sits behind an explicit consent step that names the egress and the credit cost first.
Auth and account model
No account is needed for local work. If you create one to use cloud features, you can use an email address or one-click Google or GitHub sign-in, from which we receive only basic profile information — never your contacts or repositories. In hosted (proxy) mode, provider keys are held as server-side secrets and never returned to the browser, and the server enforces a strict same-origin policy. Payments are processed by Stripe; card details never touch FlowGraph servers, and we store only Stripe's customer and subscription identifiers.
Integrity guarantees
Every change — human, AI, or agent — flows through a single governed write path that stamps provenance and is reversible. Knowledge a human has approved is locked against silent AI overwrite: an AI proposal is always staged as a reviewable diff and never auto-applied, and only a human can deliberately override a lock. Governed writes, approvals, and exports append to an audit ledger, so the record of what happened stays honest.
Compliance status planned
We will not claim a certification we do not hold. As of July 2026, FlowGraph is not SOC 2 certified; formal SOC 2 work is planned and not yet a claim you can rely on for procurement. Data residency today is your own device by default, and for the Team sync path, encrypted at rest with tenant isolation. Our sub-processors are Cloudflare (hosting and the optional worker), Stripe (payments), Autodesk (only for opt-in cloud 3D translation), and whichever AI provider you choose. If your review needs a document we have not published yet, email us and we will tell you honestly what exists and what does not.