Storm2Flow holds your process knowledge: descriptions, uploads, voice notes, and the diagrams built from them. Here is exactly where that data lives, who can reach it, and what we do (and do not do) with it.
Every part of Storm2Flow runs on AWS in the EU (Frankfurt, eu-central-1): hosting, authentication, storage, email, speech-to-text, and AI. Your content is not copied to another region to be processed.
The AI itself runs on AWS Bedrock using cross-region inference profiles restricted to EU regions only. Your descriptions, files, images, and voice transcripts are not sent to Anthropic's, OpenAI's, or any other provider's own (non-EU) API. This is what lets EU organisations use Storm2Flow under GDPR / DSGVO without negotiating a separate data-processing agreement per AI vendor.
Per the AWS Bedrock terms, the text and images you send and the diagrams we generate are not used to train any model and are not shared with the underlying model providers. Your process knowledge stays yours.
Data is encrypted in transit (TLS, served over HTTPS) and at rest in AWS storage (S3, DynamoDB).
Accounts belong to an organisation determined by your email domain. Diagrams and share links are scoped to your organisation; people outside it cannot reach your work.
Sign-in runs on Amazon Cognito with role-based access (platform admin, organisation admin, member). Shared diagrams still require an authenticated, same-organisation viewer.
No advertising cookies and no third-party tracking. Analytics is cookie-free (Plausible, EU-hosted). You hold the full set of GDPR rights, including export and deletion.
The AWS account is continuously watched by always-on AWS-native security services: GuardDuty threat detection, AWS Config for configuration-drift tracking, Security Hub against the CIS and AWS Foundational Security Best Practices benchmarks, a tamper-evident CloudTrail audit log, and IAM Access Analyzer. Misconfigurations and suspicious activity surface as findings we review.
An AWS WAF at the edge (rate limiting plus a bot challenge on public surfaces) is staged for our public "try it" launch and rolls out with it.
We are planning an independent penetration test and are working toward recognised certifications (e.g. SOC 2 / ISO 27001). We will publish the results here as they land.
For data-processing questions, a DPA, or to report a vulnerability, contact us at security@struct2flow.com. Full detail on data we collect, retention, and your rights lives in the privacy policy.