🔒

Security & Trust

We take the security of your data and credentials seriously. Here's exactly what we do — and don't do.

🔐
AES-256 Encryption
All credentials encrypted at rest and in transit
💳
No Financial Data
We never store credit cards or financial records
👁️
No Peeking
Your data is only accessed during workflow execution

Data Handling

FlowClaw processes data from your connected tools only during workflow execution. We do not sell, share, or use your business data for any purpose other than running your automations.

Workflow run logs — including step inputs and outputs — are stored for debugging and analytics purposes and retained for 90 days. You can delete your data at any time from the dashboard.

OAuth Scopes — What We Request & Why

📧 GmailRead emails, send emails

To read incoming emails as workflow triggers and send emails as workflow actions. We never read email outside of explicitly triggered workflows.

💬 SlackPost messages to channels

To send notifications and alerts to your Slack workspace when workflow conditions are met.

📋 TrelloRead and create cards

To create and update Trello cards as workflow actions. We only access boards you explicitly configure.

📅 Google CalendarRead and create events

To trigger workflows from calendar events and create calendar entries as workflow actions.

📁 Google DriveRead and create files

To read files as workflow inputs and create/update files as workflow actions.

What We Never Store

  • Credit card numbers or financial account data
  • OAuth tokens in plaintext — all tokens are AES-256 encrypted before storage
  • Personal emails, messages, or files beyond what is needed for active workflow runs
  • Plaintext passwords — account passwords are hashed before storage and never logged

AI Condition Node — Data Privacy

When you use the AI Condition node, data from your workflow step is sent to OpenAI's GPT-4o-mini model. This uses your own OpenAI API key — FlowClaw never marks up or resells AI compute.

Only the specific field(s) you configure are sent to OpenAI — not your full workflow history. We recommend not sending sensitive PII (social security numbers, financial account data) through the AI Condition node.

OpenAI's data usage policies apply to data processed through your API key. Review their privacy policy for details.

Infrastructure

FlowClaw is hosted on Railway, running in isolated containers per service.

  • All traffic encrypted via TLS 1.3
  • Database access restricted to API service only (no public internet access)
  • Credentials encrypted with AES-256-GCM before being written to the database
  • Environment variables (API keys, secrets) never appear in logs or error messages

Revoking Access

You can revoke FlowClaw's access to any connected app at any time — either from the FlowClaw dashboard (Connections page) or directly from the connected app's settings. Revoking access immediately stops all workflows that depend on that connection.

Workflow State & Privacy

FlowClaw workflows can keep limited state between runs so automations do not repeat work, double-process the same record, or lose operational context. Here is what that state covers, how it is protected, and how to request a reset.

What Workflows Can Store

  • The last run timestamp and trigger inputs needed to avoid duplicate processing
  • Execution state for multi-step automations, such as queued or completed steps
  • Configuration preferences you've set (routing rules, thresholds, labels)
  • Aggregate counters used for reporting (runs completed, leads routed, tickets handled)

What Workflows Do NOT Store by Default

  • Full message or email content beyond the current run window
  • Personal data from third-party tools beyond what's needed for routing decisions
  • Anything you haven't explicitly configured the workflow to track

Encryption

Stored workflow state is scoped to your account and isolated per workflow. Connection credentials are encrypted at rest using AES-256-GCM, and sensitive environment secrets are never exposed in workflow logs.

How to Clear Workflow State

Dashboard reset controls are being added. Until those controls are available, contact FlowClaw support to clear stored state for a workflow or account. This does not affect run logs retained for debugging and analytics, but it can reset counters, state flags, and cached context tied to that workflow.

Questions or Concerns?

Have a security question or want to report a vulnerability? Email us at . We respond to all security reports within 24 hours.

← Back to FlowClaw