Data Sharing & Third Parties

1. Overview & Commitment to Transparency

At FlowCMS, we recognize that trust is built on transparency. This document outlines how we collect, process, share, and protect your data, as well as our relationships with third-party service providers. We are committed to maintaining the highest standards of data privacy, security, and regulatory compliance across all operations.

2. Data Collection & Processing

FlowCMS processes data to provide core CMS functionality, ensure platform reliability, and enhance user experience. Processing is conducted under strict legal bases including contract performance, legitimate interest, and explicit consent where required.

Types of Data Processed

• Account & Authentication Data: Email, role, authentication tokens, and access logs.
• Content & Metadata: Documents, media assets, content structures, and workflow states.
• Usage & Telemetry: API request volumes, endpoint performance, error logs, and anonymized interaction patterns.
• Billing & Support Data: Payment information (processed by PCI-compliant providers), support tickets, and communication records.

3. Third-Party Services & Integrations

We partner with vetted third-party providers to deliver infrastructure, analytics, support, and specialized features. All providers are bound by Data Processing Agreements (DPAs) and undergo regular security assessments.

You may opt out of non-essential integrations via your Workspace Settings → Integrations → Privacy Controls.

4. Categories of Data Sharing

Data sharing occurs under the following circumstances:

• Service Delivery: With infrastructure and CDN providers to ensure uptime, speed, and reliability.
• Customer Request: When you explicitly enable features like SSO, webhook endpoints, or third-party content delivery networks.
• Legal & Regulatory: To comply with applicable laws, preserve rights, or respond to valid legal processes.
• Business Transfers: In the event of merger, acquisition, or asset sale, with strict contractual privacy obligations enforced.

We do not share data with advertisers, data brokers, or unauthorized third parties under any circumstances.

5. Security & Data Protection Measures

Your data is protected through industry-leading technical and organizational controls:

• End-to-end encryption in transit (TLS 1.3) and at rest (AES-256)
• Zero-trust architecture with role-based access control (RBAC)
• Regular penetration testing and SOC 2 Type II audits
• Automated vulnerability scanning and incident response protocols
• Immutable audit logs for all administrative and content actions

6. Compliance & Legal Framework

FlowCMS adheres to global data protection standards and maintains certifications to ensure compliance across jurisdictions:

We provide Data Processing Addendums (DPAs), Standard Contractual Clauses (SCCs), and right-to-audit provisions for enterprise customers upon request.

7. Your Rights & Controls

Depending on your jurisdiction, you may have the right to:

• Access, correct, or export your personal data
• Request deletion of account and associated content
• Opt out of telemetry and analytics processing
• Object to automated decision-making or AI processing
• Lodge a complaint with a supervisory authority

All requests are processed within 30 days. Self-service controls are available in your dashboard under Account → Privacy & Data.

8. Policy Updates

We may update this document to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email, in-app notifications, or our status page. The "Last Updated" date at the top of this page will reflect the most recent revision.

9. Contact Our Data Protection Team

If you have questions about this policy, our data practices, or wish to exercise your rights, please contact us: