// Trust & Security Report

    FlowiseAI Inc. logo

    FlowiseAI Inc.

    Open-source low-code AI agent builder: Flowise Cloud (SaaS), Flowise Open Source (self-hosted), and an Enterprise deployment option for building LLM workflows, multi-agent systems, and chatbots visually.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    Where the General Data Protection Regulation (GDPR) applies, we process your Personal Data under the following legal bases: Contractual necessity, Legitimate interests, Legal obligations, Consent. Where data is transferred outside your region, we implement safeguards such as Standard Contractual Clauses (SCCs).

    Verify on flowiseai.com
    > Show 10 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence on flowiseai.com domain. Workday (parent company, acquired August 2025) holds SOC 2 Type II but Flowise is not listed in Workday's compliance scope at compliance.workday.com as of June 2026. Third-party scanner Nudge Security lists SOC 2 for FlowiseAI, but this is an automated unverified claim with no vendor-domain corroboration.

    source: flowiseai.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on flowiseai.com domain. Workday (parent) holds ISO 27001 but Flowise is not named in Workday's certification scope page. No ISO certificate or registration number found on any flowiseai.com page.

    source: workday.com
    ISO 27017
    NOT CONFIRMED

    unknown / no public evidence on vendor domain

    source: flowiseai.com
    ISO 27018
    NOT CONFIRMED

    unknown / no public evidence on vendor domain

    source: flowiseai.com
    ISO 27701
    NOT CONFIRMED

    unknown / no public evidence on vendor domain

    source: flowiseai.com
    ISO 42001 (AI Management)
    NOT CONFIRMED

    unknown / no public evidence on vendor domain. Workday (parent) holds ISO 42001 but Flowise is not listed in scope.

    source: workday.com
    HIPAA
    NOT CONFIRMED

    unknown / no public evidence on vendor domain. No HIPAA BAA or compliance statement found on flowiseai.com.

    source: flowiseai.com
    PCI DSS
    NOT CONFIRMED

    unknown / no public evidence on vendor domain. Payment processing is handled by Stripe (Merchant of Record); FlowiseAI itself does not claim PCI scope.

    source: flowiseai.com
    FedRAMP
    NOT CONFIRMED

    unknown / no public evidence on vendor domain. Workday (parent) holds FedRAMP Moderate but Flowise is not listed in that scope.

    source: workday.com
    CSA STAR
    NOT CONFIRMED

    unknown / no public evidence on vendor domain. Workday holds CSA STAR Self-Assessment and CSA Trusted Cloud Provider designation, but Flowise is not listed in scope.

    source: workday.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    US East 1 (cloud); self-hosted data stays in operator's own infrastructure

    The Terms of Service grant FlowiseAI a license to use User Content 'solely to operate and improve the Services' and state that 'FlowiseAI retains the right to use anonymized and aggregated usage data to improve the Platform.' The privacy policy similarly notes anonymized data may be retained indefinitely for product improvement. These clauses do not explicitly mention AI model training, but 'improve the Services' language is broad enough to encompass it. No explicit opt-out mechanism is stated. For self-hosted deployments, FlowiseAI collects no data at all.

    // Security controls

    Encryption in transit

    Not explicitly stated on vendor domain; platform is served over HTTPS; documented use of JWT tokens in secure HTTP-only cookies

    docs.flowiseai.com

    Encryption at rest

    Credentials (e.g. API keys) encrypted via an encryption key; AWS Secret Manager recommended for production key management

    docs.flowiseai.com

    Authentication

    JWT-based auth with bcrypt password hashing; SSO/SAML supported; Google and Microsoft login; Okta support; app-level and chatflow-level authorization

    docs.flowiseai.com

    Vulnerability disclosure

    Active program via GitHub Security Advisory; 10 CVEs publicly disclosed as of May 2026, including critical RCE (CVE-2025-59528) and auth bypass (CVE-2025-58434). Critical issues patched within 30 business days.

    github.com

    Data storage (cloud)

    US East 1 region

    flowiseai.com

    Self-hosted data collection

    None - FlowiseAI collects no metrics or data from self-hosted deployments

    flowiseai.com

    Rate limiting

    Rate limit configuration available for cloud and on-premises deployments

    docs.flowiseai.com

    Path traversal protection

    PATH_TRAVERSAL_SAFETY feature enabled by default

    docs.flowiseai.com

    // Products & data scope

    Flowise CloudSaaS managed platform

    data: User content, workflow configs, chat logs processed and stored by FlowiseAI in US East 1; usage analytics via PostHog; payment data via Stripe

    Pricing tiers: Free ($0, 2 flows, 100 predictions/month), Starter ($35/mo, unlimited flows, 10k predictions), Pro ($65/mo, 50k predictions, multi-workspace, 5 users), Enterprise (custom). Terms incorporate Workday Online Terms of Service by reference.

    Flowise Open Source / Self-HostedSelf-hosted software (Apache 2.0 / open source)

    data: No data collected by FlowiseAI; all data stays in operator's own infrastructure

    npm install -g flowise; ideal for customers with strict data residency or compliance requirements. Operator is responsible for their own security controls.

    Flowise EnterpriseEnterprise deployment (cloud or on-premises)

    data: Customer-negotiated; supports both cloud and on-premises deployment

    Enterprise features include SSO, admin roles, permissions, priority support. Security certifications and DPA terms must be requested directly from FlowiseAI/Workday sales.

    // What to watch

    • WORKDAY PARENT CERT AMBIGUITY: Workday (parent, acquired August 2025) holds SOC 2 Type II, ISO 27001/27017/27018/27701, ISO 42001, HIPAA, FedRAMP Moderate, CSA STAR, and others - but Flowise is NOT explicitly listed in Workday's compliance scope at compliance.workday.com as of June 2026. Do not attribute Workday certifications to FlowiseAI without explicit in-scope confirmation from Workday.
    • TEMPORAL CONTRADICTION IN ToS: The Terms of Service show an Effective Date of June 3, 2024 but already incorporate 'Workday Online Terms of Service by reference' - Workday did not acquire Flowise until August 14, 2025. The effective date appears stale (not updated post-acquisition), creating legal ambiguity about which version of the terms actually applies.
    • ACTIVE CRITICAL CVEs: 10 security advisories disclosed as of May 2026, including CVE-2025-59528 (critical RCE via CustomMCP Node, actively exploited) and CVE-2025-58434 (auth bypass). Self-hosted users on unpatched versions face material risk.
    • NO PUBLIC DPA: No Data Processing Agreement is publicly available on flowiseai.com. EU/GDPR-regulated customers must request a DPA directly; its existence and terms are unconfirmed.
    • THIRD-PARTY OVERCLAIM RISK: Nudge Security's automated profile lists SOC 2, ISO 27001, HIPAA, FedRAMP, PCI, and CSA STAR for FlowiseAI with no corroborating vendor-domain evidence. These appear to be unverified automated claims and should not be relied upon.
    • AMBIGUOUS AI TRAINING LANGUAGE: ToS grants license to use user content 'solely to operate and improve the Services' and to use 'anonymized and aggregated usage data to improve the Platform.' This language does not explicitly exclude AI model training on customer workflow data for cloud users.

    // At a glance

    Pricing model

    Freemium SaaS with self-hosted open-source option; cloud tiers from $0 to $65/mo; Enterprise custom pricing

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on FlowiseAI Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    flowiseai.com

    > Browse all vendor trust reports