gpp_good Security & Compliance

CTO-Grade Security.
100% Self-Hosted.

Designed for zero-trust environments. The entire automation pipeline runs on your own Virtual Private Server (VPS) using Docker and n8n nodes, keeping credentials and payloads under your absolute command.

dns Self-Hosted Boundary memory Zero Data Retention shield India DPDP Compliant lock Client-Isolated Keys

Last updated: June 2026  ·  Security Desk: [email protected]

Deployment Architecture

Stateless Containerized VPS Pipeline

FlowAIsys operates as a self-hosted installation within your own Virtual Private Server (VPS) or Virtual Private Cloud (VPC), ensuring zero external data storage.

dns

100% Client-Owned VPS & n8n Setup

Complete Sovereignty

The system runs inside Docker containers on a VPS you rent, configure, and control. Workflows are driven locally via n8n integration points.

  • Zero Data Exposure: API keys, OAuth access tokens, database histories, and log outputs reside strictly inside your owned environment. We cannot access them.
  • Stateless Processing: Containers execute workflow requests ephemerally. Payload data does not persist on disk.
  • Rootless Containment: Docker executes with rootless system users and strictly defined network ports, preventing host privilege escalation.
api

Scoped OAuth 2.0 Credentials

Permission-First Security

The self-hosted agent connects to Google Workspace, Microsoft 365, and Slack using OAuth 2.0. We configure the system with read-only/draft-only credentials.

  • No destructive actions: The credentials cannot delete files, wipe emails, or modify system settings.
  • Token Storage: OAuth refresh tokens are encrypted on your VPS using AES-256 GCM with keys generated locally and held in your secure environment variables.

Sovereignty

Data Residency & Localization

Because FlowAIsys is deployed entirely on your own infrastructure, data residency compliance is solved natively. You choose exactly where your servers are located to satisfy regional laws.

location_on

India (DPDP Act 2023)

Your Pin Region: Deploy on AWS Mumbai (ap-south-1) or GCP Mumbai (asia-south1) VPS.

Under India's DPDP Act, FlowAIsys never becomes a Data Fiduciary — your data never leaves your server. You retain full controller status with no cross-border transfer risk. Penalties for breaches reach up to ₹250 crore; the self-hosted model removes this exposure entirely.

location_on

EU & UK (GDPR)

Your Pin Region: Deploy on AWS Frankfurt or GCP Dublin VPS.

Guarantees all personal data remains strictly within the European Economic Area (EEA), avoiding complex cross-border transfer challenges under GDPR.

location_on

United States (CCPA/CPRA)

Your Pin Region: Deploy on VPS in US-East (N. Virginia).

Restricts processing boundaries and logs to regional US nodes, facilitating compliance with CCPA and state-level security frameworks.

location_on

Canada (PIPEDA)

Your Pin Region: Deploy on VPS in Canada-Central (Toronto).

Helps you manage data storage in alignment with PIPEDA's 10 Fair Information Principles inside Canadian borders.

Client-Isolated Envelope Encryption

Because the software runs on your server, you generate and hold your own encryption master keys. All local state values are encrypted using AES-256 GCM with Key Management Service (KMS) master keys managed by your own cloud infrastructure (AWS KMS, GCP KMS, or local Vault). We never have access to the keys or the ciphertexts.

Data Processing Pipeline

Zero Data Retention (ZDR) Memory Pipeline

The self-hosted container processes data ephemerally. Raw email payloads and calendar details are processed strictly in RAM and are immediately wiped from memory.

1

Local Webhook Execution

An email/calendar event triggers n8n, forwarding the encrypted payload to the Docker container over your internal network.

2

Volatile Processing (RAM)

The payload is decrypted and processed strictly in RAM inside the isolated container. System logs capture only metadata, never raw message bodies.

3

Draft Proposal Output

The LLM drafts a proposed reply, which is sent directly to your local approval database. The raw source message payload is immediately overwritten in RAM.

4

RAM Purge & Garbage Collection

Active memory is garbage-collected. Zero trace of operational email data remains on disk. Only transaction counts (tokens, execution status) are stored for billing audits.

lock_open Zero AI Model Training Guarantee

We utilize API integrations with LLM providers (Google, OpenAI, and Anthropic) under commercial terms where model training on API payloads is contractually disabled. Client email texts, scheduling instructions, and operational histories are never saved or used to train public models.

Incident Response

Incident Management & DPBI Reporting

Because the system is self-hosted, your security operations center (SOC) maintains full logs. We provide automated monitoring hooks to alert you of system anomalies.

notification_important

Compliance Auditing Hooks

The system writes detailed execution logs to stdout, which you can direct straight to your local SIEM (Datadog, Splunk, Elasticsearch) to monitor for unauthorized access, webhook failures, or unusual API calls.

receipt_long

Breach Support Utilities

To comply with Section 15 of India's DPDP Act, companies must notify the DPBI and affected users immediately of any breach. Because the system runs on your own infrastructure, your security team retains full access to container execution logs to investigate and report incidents.

Auditing

Security Standards & Audits

We map our software development lifecycle and code updates to enterprise-grade compliance standards.

checklist_rtl

SOC 2 Type II Alignment

Our development processes, container configurations, source control audits, and vulnerability scanning procedures are designed in alignment with SOC 2 Type II Security and Confidentiality principles. Formal certification is on our roadmap — reach out if your procurement team requires our current controls documentation.

security

Vulnerability Scanning

All Docker images are scanned automatically for CVEs in our CI/CD pipeline prior to release. We perform regular white-box code penetration audits to identify API security weaknesses.

lock_person

Vulnerability Disclosure Program

We commit to resolving code-level vulnerabilities quickly. Send disclosures to our security desk at [email protected] (24-hour triage SLA).

admin_panel_settings

Review our architecture with our engineering team

We are happy to jump on a technical call to walk your security and IT procurement teams through our Docker, n8n, or VPS setup configurations.