Security

The security page your
compliance team is asking for.

flow8 runs on your infrastructure. Encrypted at rest. Granular access controls. A complete audit trail on every execution. Nothing leaves without your permission.

✓ Self-hosted — no shared cloud ✓ Encrypted at rest ✓ Complete audit trail ✓ Air-gap capable
Talk to our team →

Security is the architecture, not a feature.

Regulated teams don't need a checkbox. They need a system where sensitive data has nowhere to go but where it's supposed to.

🏠
Runs on your infrastructure
flow8 deploys on your servers — on-premise, private cloud, or air-gapped. No shared tenancy. No external services required. Your data never crosses a boundary you don't own.
🔐
Encrypted at rest
Field-level encryption on sensitive data within MongoDB. Encryption keys managed by you. A breach of the database exposes nothing readable — encrypted fields stay encrypted.
📋
Audit trail on everything
Every execution step, every trigger, every data access — logged with timestamps and user attribution. The trail is built into the execution engine, not bolted on. It cannot be turned off.
👥
Granular access control
Entity-level RBAC with company-based multi-tenancy. Users see and execute only what their role permits. Access is enforced at the API layer, not just the UI.
🔌
No vendor dependencies
flow8 has no phone-home behaviour, no license servers, no external APIs required for core operation. Disconnect it from the internet entirely — it keeps running.
🧩
Secrets stay in your vault
Integration credentials (API keys, OAuth tokens, connection strings) are stored encrypted. They're injected at runtime and never appear in logs or execution records.

Every execution leaves a complete record.

When an auditor asks what happened to a record, the answer is already there — timestamped, attributed, immutable. flow8 logs every step of every run. You don't reconstruct the trail. You just export it.

  • Step-level logs for every execution
  • Input and output data recorded per step
  • User attribution on every trigger and action
  • Timestamps on every state change
  • Exportable for compliance reporting
Execution audit log
09:14:02 DONE
Matter intake flow triggered
Triggered by: webhook · matter_id: 4821
09:14:02 DONE
Document extracted — 14 fields identified
Step: Extract Fields · duration: 1.2s
09:14:04 DONE
Client record created in CRM
Step: Create Contact · record_id: c_9902
09:14:04 INFO
Assigned to: Sarah Chen (Partner)
Step: Route Matter · rule: practice_area=litigation
09:14:05 DONE
Client notification sent
Step: Send Email · template: matter_confirmation

A breach exposes nothing useful.

Sensitive fields are encrypted before they're written to the database. The encryption key is yours — managed in your environment, never transmitted to flow8. If someone gets the database, they get ciphertext.

  • Field-level encryption on sensitive data
  • Keys managed entirely in your environment
  • Encrypted values never appear in logs
  • Credentials injected at runtime only
Field encryption — stored in MongoDB
client_name Sarah Mitchell
ssn enc:AgICAHj3Xk9mNq…
bank_account enc:AgICABpL7rTwYm…
dob enc:AgICAHm9Zv2pXn…
api_key enc:AgICAGk4Lw8qRs…
status active

Every user sees exactly what their role allows.

Access is enforced at the API layer — not just hidden in the UI. Roles are scoped to the company entity, so multi-tenant deployments stay fully isolated. An employee in one business unit cannot see or trigger flows owned by another.

  • Company-scoped multi-tenancy
  • Role-based access enforced at API level
  • Separate permissions for view, run, edit, admin
  • API key authentication for integrations
  • OAuth2 support for enterprise SSO
Role permissions
Admin
View Run Edit Manage Users
Editor
View Run Edit Manage Users
Operator
View Run Edit Manage Users
Viewer
View Run Edit Manage Users

Deployed where your security policy requires.

No forced cloud. No shared infrastructure. flow8 runs wherever your data is allowed to live.

🏢
On-Premise
Runs on your own servers inside your data center. No external calls required for core operation. Full control over networking, storage, and access.
Docker Bare metal Your network
✈️
Air-Gapped
Fully disconnected environments supported. No license server, no telemetry, no phone-home. flow8 operates completely offline once deployed.
No internet required No telemetry
🔒
Private Cloud
Deploy in your own VPC on AWS, Azure, or GCP. You own the infrastructure. flow8 never runs in a shared environment or accesses your tenant data.
AWS Azure GCP Your VPC

Built for regulated industries.

The teams with the strictest compliance requirements are exactly who flow8 was built for.

🇪🇺 GDPR-ready 🏥 HIPAA-friendly 🛡️ Air-gap capable 🏛️ Data sovereignty 📋 Complete audit trail 🔐 Encrypted at rest

flow8 does not process, store, or transmit your data to any external system. All execution happens inside your deployment. Compliance obligations stay with you — not with a vendor who has access to your records.

Send this to your security team.

Book 30 minutes and we'll walk them through the architecture — deployment model, encryption, access controls, and audit trail — whatever they need to sign off.

Book a call → Talk to an engineer