// Trust & Security Report
FlowiseAI Inc.
Open-source low-code AI agent builder: Flowise Cloud (SaaS), Flowise Open Source (self-hosted), and an Enterprise deployment option for building LLM workflows, multi-agent systems, and chatbots visually.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on flowiseai.com“Where the General Data Protection Regulation (GDPR) applies, we process your Personal Data under the following legal bases: Contractual necessity, Legitimate interests, Legal obligations, Consent. Where data is transferred outside your region, we implement safeguards such as Standard Contractual Clauses (SCCs).”
> Show 10 unconfirmed / not-held certifications
source: flowiseai.comNo public evidence on flowiseai.com domain. Workday (parent company, acquired August 2025) holds SOC 2 Type II but Flowise is not listed in Workday's compliance scope at compliance.workday.com as of June 2026. Third-party scanner Nudge Security lists SOC 2 for FlowiseAI, but this is an automated unverified claim with no vendor-domain corroboration.
source: workday.comNo public evidence on flowiseai.com domain. Workday (parent) holds ISO 27001 but Flowise is not named in Workday's certification scope page. No ISO certificate or registration number found on any flowiseai.com page.
source: workday.comunknown / no public evidence on vendor domain. Workday (parent) holds ISO 42001 but Flowise is not listed in scope.
source: flowiseai.comunknown / no public evidence on vendor domain. No HIPAA BAA or compliance statement found on flowiseai.com.
source: flowiseai.comunknown / no public evidence on vendor domain. Payment processing is handled by Stripe (Merchant of Record); FlowiseAI itself does not claim PCI scope.
source: workday.comunknown / no public evidence on vendor domain. Workday (parent) holds FedRAMP Moderate but Flowise is not listed in that scope.
source: workday.comunknown / no public evidence on vendor domain. Workday holds CSA STAR Self-Assessment and CSA Trusted Cloud Provider designation, but Flowise is not listed in scope.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
US East 1 (cloud); self-hosted data stays in operator's own infrastructure
The Terms of Service grant FlowiseAI a license to use User Content 'solely to operate and improve the Services' and state that 'FlowiseAI retains the right to use anonymized and aggregated usage data to improve the Platform.' The privacy policy similarly notes anonymized data may be retained indefinitely for product improvement. These clauses do not explicitly mention AI model training, but 'improve the Services' language is broad enough to encompass it. No explicit opt-out mechanism is stated. For self-hosted deployments, FlowiseAI collects no data at all.
// Security controls
Encryption in transit
Not explicitly stated on vendor domain; platform is served over HTTPS; documented use of JWT tokens in secure HTTP-only cookies
docs.flowiseai.comEncryption at rest
Credentials (e.g. API keys) encrypted via an encryption key; AWS Secret Manager recommended for production key management
docs.flowiseai.comAuthentication
JWT-based auth with bcrypt password hashing; SSO/SAML supported; Google and Microsoft login; Okta support; app-level and chatflow-level authorization
docs.flowiseai.comVulnerability disclosure
Active program via GitHub Security Advisory; 10 CVEs publicly disclosed as of May 2026, including critical RCE (CVE-2025-59528) and auth bypass (CVE-2025-58434). Critical issues patched within 30 business days.
github.comSelf-hosted data collection
None - FlowiseAI collects no metrics or data from self-hosted deployments
flowiseai.comRate limiting
Rate limit configuration available for cloud and on-premises deployments
docs.flowiseai.com// Products & data scope
data: User content, workflow configs, chat logs processed and stored by FlowiseAI in US East 1; usage analytics via PostHog; payment data via Stripe
Pricing tiers: Free ($0, 2 flows, 100 predictions/month), Starter ($35/mo, unlimited flows, 10k predictions), Pro ($65/mo, 50k predictions, multi-workspace, 5 users), Enterprise (custom). Terms incorporate Workday Online Terms of Service by reference.
data: No data collected by FlowiseAI; all data stays in operator's own infrastructure
npm install -g flowise; ideal for customers with strict data residency or compliance requirements. Operator is responsible for their own security controls.
data: Customer-negotiated; supports both cloud and on-premises deployment
Enterprise features include SSO, admin roles, permissions, priority support. Security certifications and DPA terms must be requested directly from FlowiseAI/Workday sales.
// What to watch
- WORKDAY PARENT CERT AMBIGUITY: Workday (parent, acquired August 2025) holds SOC 2 Type II, ISO 27001/27017/27018/27701, ISO 42001, HIPAA, FedRAMP Moderate, CSA STAR, and others - but Flowise is NOT explicitly listed in Workday's compliance scope at compliance.workday.com as of June 2026. Do not attribute Workday certifications to FlowiseAI without explicit in-scope confirmation from Workday.
- TEMPORAL CONTRADICTION IN ToS: The Terms of Service show an Effective Date of June 3, 2024 but already incorporate 'Workday Online Terms of Service by reference' - Workday did not acquire Flowise until August 14, 2025. The effective date appears stale (not updated post-acquisition), creating legal ambiguity about which version of the terms actually applies.
- ACTIVE CRITICAL CVEs: 10 security advisories disclosed as of May 2026, including CVE-2025-59528 (critical RCE via CustomMCP Node, actively exploited) and CVE-2025-58434 (auth bypass). Self-hosted users on unpatched versions face material risk.
- NO PUBLIC DPA: No Data Processing Agreement is publicly available on flowiseai.com. EU/GDPR-regulated customers must request a DPA directly; its existence and terms are unconfirmed.
- THIRD-PARTY OVERCLAIM RISK: Nudge Security's automated profile lists SOC 2, ISO 27001, HIPAA, FedRAMP, PCI, and CSA STAR for FlowiseAI with no corroborating vendor-domain evidence. These appear to be unverified automated claims and should not be relied upon.
- AMBIGUOUS AI TRAINING LANGUAGE: ToS grants license to use user content 'solely to operate and improve the Services' and to use 'anonymized and aggregated usage data to improve the Platform.' This language does not explicitly exclude AI model training on customer workflow data for cloud users.
// At a glance
Pricing model
Freemium SaaS with self-hosted open-source option; cloud tiers from $0 to $65/mo; Enterprise custom pricing
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on FlowiseAI Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
flowiseai.com