Skip to main content
Flowyte runs production voice and chat agents, which means we handle call audio, transcripts, and whatever a caller says out loud. This page describes how that data is protected, what your compliance obligations are, and how to reach us. It states our posture honestly — where something is in progress, we say so.

Tenant isolation

Every record belongs to one organization. Each request — whether it carries a dashboard session or a secret API key — resolves to a single tenant-scoped identity, and database row-level security enforces that boundary on every query. A key can never read another organization’s data, even if it asks for a resource by id. Voice calls can be recorded and transcribed so you can review them in Observe. Recordings are retrieved through short-lived signed URLs, not public links.
You are the controller of your callers’ data and are responsible for disclosing recording where the law requires it. Many jurisdictions require two-party (all-party) consent before a call is recorded. Configure your agent’s greeting (or an opening notice) to announce recording when you operate in those regions, and confirm your obligations with counsel.
You decide what the agent says, including any recording notice, and you can disable retention of recordings on request.

Data handling & PII

  • In transit: all API traffic is served over TLS.
  • At rest: sensitive secrets — such as integration access tokens — are encrypted with authenticated encryption (AES-256-GCM) and are never returned by the API. Token DTOs surface status only.
  • Minimize what you collect. Only capture the caller fields a skill actually needs.
  • Verify before disclosing. Use a caller-verification guardrail to gate sensitive answers behind identity checks.
  • Secrets show once. API-key and webhook-signing secrets are returned a single time at creation. Store them in your secret manager.

Data residency & retention

Recordings, transcripts, and the per-call audit trail are retained so analytics and receipts work. Retention windows and regional hosting options depend on your plan — contact us to configure a specific residency or retention requirement, or to request deletion of stored conversation data.

Sub-processors

Flowyte relies on third-party infrastructure to deliver the service. We describe them by category rather than by name; the current named list is available under NDA on request.
CategoryPurpose
Cloud hosting & infrastructureCompute, storage, and managed databases
Telephony carrierPSTN connectivity, phone numbers, call routing
Speech & language modelsReal-time voice synthesis, transcription, and reasoning
Payment processing (Stripe)Checkout, wallet top-ups, invoices
Email & notification deliveryOutbound notification skills
Product analyticsUsage metrics and session replay in the dashboard
We review sub-processors before onboarding them and maintain a Data Processing Addendum (DPA), available on request.

Compliance posture

We aim to be precise here rather than aspirational:
  • SOC 2: an audit is in progress. We do not yet hold a completed report — contact us for current status and to be notified when it is available.
  • GDPR / CCPA: we support data-subject and deletion requests and provide a DPA on request.
  • A2P 10DLC: SMS sending requires per-organization brand and campaign registration before messages are delivered (a regulatory requirement, not a Flowyte limitation).
If a compliance questionnaire or security review is part of your procurement, reach out and we’ll work through it with you.

Reporting a vulnerability

If you believe you’ve found a security issue, email security@flowyte.com with steps to reproduce. Please do not publicly disclose the issue until we’ve had a chance to investigate and respond. We welcome good-faith research and will not pursue action against researchers who act responsibly and avoid privacy violations or service disruption.