Flowyte runs production voice and chat agents, which means we handle call audio, transcripts,
and whatever a caller says out loud. This page describes how that data is protected, what your
compliance obligations are, and how to reach us. It states our posture honestly — where
something is in progress, we say so.
Tenant isolation
Every record belongs to one organization. Each request — whether it carries a dashboard
session or a secret API key — resolves to a single tenant-scoped identity, and database
row-level security enforces that boundary on every query. A key can never read another
organization’s data, even if it asks for a resource by id.
Call recording & consent
Voice calls can be recorded and transcribed so you can review them in Observe. Recordings
are retrieved through short-lived signed URLs, not public links.
You are the controller of your callers’ data and are responsible for disclosing recording
where the law requires it. Many jurisdictions require two-party (all-party) consent before
a call is recorded. Configure your agent’s greeting (or an opening notice) to announce recording
when you operate in those regions, and confirm your obligations with counsel.
You decide what the agent says, including any recording notice, and you can disable retention
of recordings on request.
Data handling & PII
- In transit: all API traffic is served over TLS.
- At rest: sensitive secrets — such as integration access tokens — are encrypted with
authenticated encryption (AES-256-GCM) and are never returned by the API. Token DTOs surface
status only.
- Minimize what you collect. Only capture the caller fields a skill actually needs.
- Verify before disclosing. Use a caller-verification guardrail to
gate sensitive answers behind identity checks.
- Secrets show once. API-key and webhook-signing secrets are returned a single time at
creation. Store them in your secret manager.
Data residency & retention
Recordings, transcripts, and the per-call audit trail are retained so analytics and receipts
work. Retention windows and regional hosting options depend on your plan — contact us to
configure a specific residency or retention requirement, or to request deletion of stored
conversation data.
Sub-processors
Flowyte relies on third-party infrastructure to deliver the service. We describe them by
category rather than by name; the current named list is available under NDA on request.
| Category | Purpose |
|---|
| Cloud hosting & infrastructure | Compute, storage, and managed databases |
| Telephony carrier | PSTN connectivity, phone numbers, call routing |
| Speech & language models | Real-time voice synthesis, transcription, and reasoning |
| Payment processing (Stripe) | Checkout, wallet top-ups, invoices |
| Email & notification delivery | Outbound notification skills |
| Product analytics | Usage metrics and session replay in the dashboard |
We review sub-processors before onboarding them and maintain a Data Processing Addendum (DPA),
available on request.
Compliance posture
We aim to be precise here rather than aspirational:
- SOC 2: an audit is in progress. We do not yet hold a completed report — contact us for
current status and to be notified when it is available.
- GDPR / CCPA: we support data-subject and deletion requests and provide a DPA on request.
- A2P 10DLC: SMS sending requires per-organization brand and campaign registration before
messages are delivered (a regulatory requirement, not a Flowyte limitation).
If a compliance questionnaire or security review is part of your procurement, reach out and
we’ll work through it with you.
Reporting a vulnerability
If you believe you’ve found a security issue, email security@flowyte.com with steps to
reproduce. Please do not publicly disclose the issue until we’ve had a chance to investigate and
respond. We welcome good-faith research and will not pursue action against researchers who act
responsibly and avoid privacy violations or service disruption.