AgentFlowAgentFlow Compliance
Trust at AgentFlow

Your contracts are never used to train AI.

We built AgentFlow assuming our customers read their privacy policies — and act on what they find. Here's the full picture of how we handle your data, what regulations we cover, and the integrations you can plug in safely.

Encrypted end-to-end

Documents are encrypted in transit (TLS 1.2+) and at rest. OAuth refresh tokens for Google Drive and Slack are Fernet-encrypted with per-user keys — even a database breach can't replay them.

Never used for training

Your data is sandboxed to your workspace. No third-party model provider sees a single byte without your explicit instruction. Sub-processors handle inference only, not retention.

Abuse-resistant

Public APIs are IP- and email-rate-limited (5/hr, 20/day, 10/email/day). Workspace-level cost alerts flag anomalous usage. Per-user Fernet keys ensure token compromise stays contained.

Regulations we cite

  • GDPR + CCPA + HIPAA — Global baseline for data privacy
  • SOC 2 + PCI-DSS — Vendor security & cardholder data
  • FTC consumer protection — US fair-dealing rules
  • LOPDGDD + RGPD (Spain) — Spanish data protection
  • LGPD (Brazil/Portugal) — Brazilian/Portuguese privacy
  • CNIL + RGPD (France) — French data authority guidance
  • DSGVO (Germany) — German implementation of GDPR

Custom frameworks (industry-specific or regional) available on Business plan by request.

Languages supported natively

  • English (EN)
  • Spanish (ES)
  • Portuguese (PT)
  • French (FR)
  • German (DE)

We auto-detect a contract's language and cite the right legal framework for that jurisdiction. One-click translation between the native and English report views on every scan.

Integrations & data flow

IntegrationScopeToken securityStatus
Google DriveRead-only via official Picker — we only see files you explicitly selectFernet-encrypted per-user refresh token; revokable from Settings Live
SlackWrite-only to channel of your choice (critical/high-risk alerts)Fernet-encrypted per-user access token; one-click disconnect Live
Resend (email)Outbound transactional + weekly digestsServer-side API key; granular per-channel opt-out Live
Claude 4.5 Sonnet (Emergent LLM)Inference on uploaded documentsProvider-managed; no document retention, no training use Live

Sub-processors

  • Anthropic (Claude)
    LLM inference on scanned documents
    US
  • Emergent
    Application hosting, JWT auth, MongoDB
    US/EU
  • Resend
    Outbound transactional email
    US/EU
  • Google
    Drive import (opt-in only)
    US/EU
  • Slack
    Channel alerting (opt-in only)
    US

We notify customers in writing 30 days before adding a new sub-processor that materially changes data flow.

Got a security questionnaire?

We've answered most of them. Drop us a note and we'll send a completed SIG/CAIQ within 1 business day.

Email security@Start free

Last updated: February 2026. Full Privacy Policy at /privacy.