Flow MynaFLOW MYNA
Trust & Security

Your data security is our top priority

At Flow Myna, trust and security are foundational to everything we build. We know you're entrusting us with your data, and we take that responsibility seriously.

Our Commitments

Transparency

You deserve to know where your data is stored, processed, and how it's secured.

Privacy-first approach

We encourage you to remove or anonymize any personally identifying information (PII) that is not required for process analysis. Where possible, we scrub or redact sensitive fields while preserving data needed for meaningful insights.

Minimal access

Only essential systems or personnel have access to data needed for operations, and all access is secured.

Continuous improvement

As we grow, we will evaluate and adopt recognized security frameworks, certifications, and controls.

Current Security Status

Flow Myna operates with production-grade data handling for all clients:

  • All customer data is stored in secure, EU-based infrastructure (currently hosted in Amsterdam, Netherlands)
  • Access is restricted through secure authentication and infrastructure-level permissions
  • All traffic is encrypted using TLS 1.2+
  • Databases are encrypted at rest
  • Security monitoring and operational safeguards are in place

Data Storage & Processing

We use trusted third-party providers to deliver our service. Each is vetted for security and compliance and processes only the minimum data necessary.

Railway

Railway Trust Center

Application hosting, environment management, and database hosting (PostgreSQL)

Railway is SOC 2 certified and supports a GDPR Data Processing Addendum for EU users. All user data including databases is encrypted at rest.

Anthropic API

Anthropic Trust Center

AI-powered copilot, insights generation, and filter processing

Anthropic API powers AI-driven features in our platform. Anthropic does not use API data to train its models and maintains strict data handling policies.

OpenAI API

OpenAI Trust Center

AI-powered data mapping and script generation

OpenAI API powers our automated data mapping and transformation features. OpenAI does not use API data to train its models (with data retention disabled).

AWS S3

AWS Compliance

Object storage for user-uploaded files and datasets

AWS S3 encrypts data at rest (AES-256) and in transit (TLS). Bucket access is restricted via IAM policies with presigned URLs for secure uploads. EU region (eu-west-2) for GDPR compliance.

WorkOS

WorkOS Security

User authentication, identity management, and password storage

WorkOS is SOC 2 Type II certified and GDPR compliant. Handles secure password hashing, JWT token issuance, and SSO integrations.

Postmark

Postmark Privacy

Email delivery for invitations, notifications, and updates

Postmark delivers transactional and product update emails on our behalf. SOC 2 Type II certified and GDPR compliant with EU data processing options.

Cloudflare

Cloudflare Trust Hub

DNS, CDN, and web application firewall

Cloudflare provides DNS resolution, content delivery, DDoS protection, and security headers. SOC 2 Type II and ISO 27001 certified. GDPR compliant with EU data processing options.

Plausible Analytics

Plausible Privacy

Privacy-friendly website analytics

Plausible is a lightweight, cookie-free analytics tool. No personal data is collected, all stats are aggregated. GDPR, CCPA, and PECR compliant by design. EU-owned and hosted.

Important Notes:

  • We send only the minimum data needed to each processor.
  • We do not store personal credentials or sensitive identifiers unencrypted.

Data Residency & Location

We understand that data residency is critical for compliance. All customer data is currently stored in the EU:

Core Data Storage

Amsterdam, Netherlands

EU regionAmsterdam, Netherlands

Support for additional regions (US, APAC) can be provided as the platform scales and in response to customer data-residency requirements.

Supporting Services

Observability, AI processing, and other supporting services may operate globally. If strict data residency is required for all processing, please discuss this with us.

Have specific data residency requirements? Contact us to discuss your compliance needs.

What We Don't Do

  • We do not use third-party processors without careful evaluation.
  • We do not use your data for marketing, cross-customer aggregation, or model training.
  • We do not store backups outside secure, encrypted environments.

Future Plans & Certifications

As Flow Myna grows:

  • We plan to adopt standard security frameworks and pursue certifications (e.g. SOC 2, ISO 27001, ISO 27701).
  • We will continue expanding our transparency through regular security audits and compliance reporting.
  • We will continue improving our security practices as we grow and learn from industry best practices.

Legal Entity & Jurisdiction

Flow Myna Ltd is a company registered in the United Kingdom. Our data-handling practices follow the requirements of the UK GDPR and, where applicable, the EU GDPR.

Questions & Contact

If you have any questions about our security practices or need custom arrangements, please contact:

security@flowmyna.com