> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowyte.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Trust & Security

> How Flowyte handles your data, recordings, and caller PII — and how to report a vulnerability.

Flowyte runs production voice and chat agents, which means we handle call audio, transcripts,
and whatever a caller says out loud. This page describes how that data is protected, what your
compliance obligations are, and how to reach us. It states our posture honestly — where
something is in progress, we say so.

## Tenant isolation

Every record belongs to one organization. Each request — whether it carries a dashboard
session or a secret API key — resolves to a single tenant-scoped identity, and database
row-level security enforces that boundary on every query. **A key can never read another
organization's data**, even if it asks for a resource by id.

## Call recording & consent

Voice calls can be recorded and transcribed so you can review them in **Observe**. Recordings
are retrieved through short-lived signed URLs, not public links.

<Warning>
  You are the controller of your callers' data and are responsible for disclosing recording
  where the law requires it. Many jurisdictions require **two-party (all-party) consent** before
  a call is recorded. Configure your agent's greeting (or an opening notice) to announce recording
  when you operate in those regions, and confirm your obligations with counsel.
</Warning>

You decide what the agent says, including any recording notice, and you can disable retention
of recordings on request.

## Data handling & PII

* **In transit:** all API traffic is served over TLS.
* **At rest:** sensitive secrets — such as integration access tokens — are encrypted with
  authenticated encryption (AES-256-GCM) and are never returned by the API. Token DTOs surface
  status only.
* **Minimize what you collect.** Only capture the caller fields a skill actually needs.
* **Verify before disclosing.** Use a [caller-verification guardrail](/concepts/guardrails) to
  gate sensitive answers behind identity checks.
* **Secrets show once.** API-key and webhook-signing secrets are returned a single time at
  creation. Store them in your secret manager.

## Data residency & retention

Recordings, transcripts, and the per-call audit trail are retained so analytics and receipts
work. Retention windows and regional hosting options depend on your plan — **contact us** to
configure a specific residency or retention requirement, or to request deletion of stored
conversation data.

## Sub-processors

Flowyte relies on third-party infrastructure to deliver the service. We describe them by
**category** rather than by name; the current named list is available under NDA on request.

| Category                       | Purpose                                                 |
| ------------------------------ | ------------------------------------------------------- |
| Cloud hosting & infrastructure | Compute, storage, and managed databases                 |
| Telephony carrier              | PSTN connectivity, phone numbers, call routing          |
| Speech & language models       | Real-time voice synthesis, transcription, and reasoning |
| Payment processing (Stripe)    | Checkout, wallet top-ups, invoices                      |
| Email & notification delivery  | Outbound notification skills                            |
| Product analytics              | Usage metrics and session replay in the dashboard       |

We review sub-processors before onboarding them and maintain a Data Processing Addendum (DPA),
available on request.

## Compliance posture

We aim to be precise here rather than aspirational:

* **SOC 2:** an audit is **in progress**. We do not yet hold a completed report — contact us for
  current status and to be notified when it is available.
* **GDPR / CCPA:** we support data-subject and deletion requests and provide a DPA on request.
* **A2P 10DLC:** SMS sending requires per-organization brand and campaign registration before
  messages are delivered (a regulatory requirement, not a Flowyte limitation).

If a compliance questionnaire or security review is part of your procurement, reach out and
we'll work through it with you.

## Reporting a vulnerability

If you believe you've found a security issue, email **[security@flowyte.com](mailto:security@flowyte.com)** with steps to
reproduce. Please do not publicly disclose the issue until we've had a chance to investigate and
respond. We welcome good-faith research and will not pursue action against researchers who act
responsibly and avoid privacy violations or service disruption.
