← Back to Home

Last updated: October 2025

Trust & Security

Trust & Security

At Flow Myna, trust and security are foundational to everything we build. We know you're entrusting us with your data, and we take that responsibility seriously.

Below is how we protect your data, who handles it, and where it is processed.

Our Commitments

Transparency

You deserve to know where your data is stored, processed, and how it's secured.

Privacy-first approach

We encourage you to remove or anonymize any personally identifying data (PII) before upload. Where possible, we scrub or redact sensitive fields.

Minimal access

Only essential systems or personnel have access to data needed for operations, and all access is secured.

Continuous improvement

As we grow, we will evaluate and adopt recognized security frameworks, certifications, and controls.

Current Pilot Phase

This pilot approach is temporary while we finalize our production environment. When our public launch happens, data handling will follow our permanent operating model, described below.

During our pilot phase, Flow Myna operates with production-grade data handling for a small number of participating clients.

  • All data is stored in secure, region-based environments (e.g. EU or US)
  • The platform is not yet accessible to clients directly - only authorized Flow Myna personnel have access
  • Access is restricted through secure authentication and infrastructure permissions
  • We will introduce formal audit and monitoring processes before public release

Data Storage & Processing

We use a small number of trusted third-party providers to deliver our service. These vendors handle infrastructure, observability, and AI-powered functionality. Each is vetted for security and compliance and processes only the minimum data necessary.

Below is a summary of the third-party services (data processors) we use, what they do, and key notes about their security practices.

Railway

Railway Trust Center

Application hosting, environment management, and database hosting (PostgreSQL)

Railway is SOC 2 certified and supports a GDPR Data Processing Addendum for EU users. All user data including databases is encrypted at rest, with additional encryption layers for service variables that are decrypted only when necessary.

OpenAI API

Data controls in the OpenAI platform

AI-based text processing

OpenAI API powers AI-driven features in our platform. OpenAI does not use API data for training its models and retains data for up to 30 days for abuse monitoring only.

Pydantic Logfire

Logfire Privacy Statement

AI agent tracing and observability

Used specifically for monitoring and debugging AI agent workflows and processes. Logfire applies data minimization practices and automated scanning for vulnerabilities. GDPR compliant with lawful bases for processing.

Honeycomb

Honeycomb Security & Data Protection

API performance monitoring and distributed tracing

Used for monitoring API calls, request tracing, and application performance diagnostics. Honeycomb undergoes SOC 2 audits and supports region-based data residency for compliance requirements.

Cloudflare R2

Cloudflare Trust Hub

Object storage for user-uploaded files and datasets

Cloudflare R2 encrypts data at rest and in transit. Supports S3-compatible API with presigned URLs for secure access. GDPR-compliant data residency options available.

WorkOS

WorkOS Security

User authentication, identity management, and password storage

WorkOS is SOC 2 Type II certified and GDPR compliant. Handles secure password hashing, JWT token issuance, and SSO integrations. Provides audit logs and supports enterprise security requirements.

Important Notes:

  • We send only the minimum data needed to each processor.
  • We do not store personal credentials or sensitive identifiers unencrypted.

Data Residency & Location

We understand that data residency is critical for compliance. Our approach prioritizes keeping your core data in the right region while using trusted global services for supporting functions.

Core Data Storage

Your business data is stored in Railway's database infrastructure, which we can deploy in your required region:

  • US regions: California, Virginia
  • EU region: Amsterdam, Netherlands
  • Asia-Pacific: Singapore

Supporting Services

Observability, AI processing, and other supporting services may operate globally and could process the same data as part of their functionality. If strict data residency is required for all processing, please discuss this with us to understand any limitations.

Need specific data residency? Let us know your requirements (e.g. "data must stay in the EU") and we'll deploy our database infrastructure in the appropriate region.

What We Don't Do

  • We do not use third-party processors without careful evaluation.
  • We do not use your data for marketing, cross-customer aggregation, or model training (unless explicitly permitted by you and anonymized).
  • We do not store backups outside secure, encrypted environments.

Future Plans & Certifications

As Flow Myna grows:

  • We plan to adopt standard security frameworks and pursue certifications (e.g. SOC 2, ISO 27001, ISO 27701, GDPR audits, etc.).
  • We will continue expanding our transparency through regular security audits and compliance reporting.
  • We will continue improving our security practices as we grow and learn from industry best practices.

Legal Entity & Jurisdiction

Flow Myna Ltd is a company registered in the United Kingdom. Our data-handling practices follow the requirements of the UK GDPR and, where applicable, the EU GDPR.

Privacy Policy

Our full Privacy Policy, detailing how we collect and process client information, will be published before the platform becomes generally available. In the meantime, this page outlines our current data-handling and processor relationships.

Questions & Contact

If you have any questions, want more details about any service, or need a custom data residency arrangement, please contact:

security@flowmyna.com

© 2025 Flow Myna