Security & Trust
Your data, your perimeter, your rules.
FlowMaster runs Business-as-Code inside your boundary, on your infrastructure, against the systems you already operate. The posture below describes what the platform does, not certifications we claim.
Posture
| #01 |
Customer boundary
Each customer deployment is scoped by agreed hosting pattern, region and tenant boundary; the deployment model is confirmed during architecture review.
|
| #02 |
Identity
FlowMaster uses the customer’s identity provider and role model; roles and permissions are resolved from approved HR and identity sources before a step can run.
|
| #03 |
Provider choice
Provider choice belongs to the customer. Hosted and self-hosted options can be configured according to customer architecture and data-boundary decisions.
|
| #04 |
Governance & evidence
Before an action updates a system, sends a notification or advances a case, the runtime governance layer checks the actor, process state, data state and rule version. If the action is not permitted, it stops or routes to the named reviewer.
|
| #05 |
AI and automation controls
Approved agents and automations can act only through configured tools. Before any write-back, FlowMaster checks the actor, process state, mapped data, rule version and permitted action.
|
Technical architecture & integrity
FlowMaster is built from the ground up for high-integrity, sandboxed enterprise environments. The technical foundation enforces segregation, safety, and strict compliance by construction.
| #01 |
Infrastructure & Isolation
Built as a modular set of microservices and micro-frontends running on load-balanced Kubernetes clusters with isolated namespaces.
|
| #02 |
Data Store (ArangoDB)
Utilizes an enterprise-grade multi-modal graph database (ArangoDB) supporting structured nodes, vector embeddings, and secure blob storage.
|
| #03 |
CI/CD for Operations
Full operational branching, staging, and version control—essentially git for business operations. Definitions are promoted, tested, and rolled back across staging and production environments cleanly.
|
| #04 |
SSO & Protocol Integration
Governed through enterprise SSO (Microsoft and Google identity providers). Connects via native MCP (Model Context Protocol), A2A, and Web-MCP orchestration protocols with fine-grained role-based access control.
|
A note on certifications
We describe the platform’s security posture in capabilities terms. Self-hosted in your perimeter. Your data in your region. Your identity provider, your access policies. We do not claim certifications we have not earned. When a procurement team asks for specifics tied to a particular framework, we answer them directly against the architecture.
Security questions for procurement or legal? Send the review context and we will answer against the architecture.
Email security →