1,000+ engineers design R1 & R2 vehicles on Flow at

Sequoia

Read More

1,000+ engineers design on Flow at

Sequoia

Read More

Security built for compliance-driven industries

Flow is built for defense, aerospace, energy and other industries with strict compliance needs.

Visit Trust Center

Built for Regulated Engineering

Flow is built for defense, aerospace, energy, and other industries with strict compliance needs. It can be configured for ITAR and export control, with support for data residency and sovereignty. You can deploy it as cloud SaaS, in GovCloud, or in a self hosted environment. It enables secure collaboration across mechanical, electrical, and software teams.

ITAR and CUI compliant

Flow meets the certifications and frameworks modern hardware teams rely on. ITAR and EAR alignment. NIST 800-171 and CUI support. SOC 2 Type II. ISO 27001. GDPR and CCPA compliance.

ITAR
GDPR compliant
SOC2 compliant
Private and Secure AI by Design

Flow keeps your data inside your environment. All AI processing runs within controlled boundaries that protect your proprietary IP and meet strict security needs. You get clear visibility into suggestions and accepted changes, plus a full audit trail for every AI action. All AI runs with private inference, and no data is ever used for model training.

Enterprise-grade security

Enterprise-grade security

Enterprise-grade security

Security & Compliance

ITAR
ITAR
GDPR compliant
GDPR compliant
SOC2 compliant
SOC2 compliant
Enterprise grade encryption

Decryption keys in NIST FIPS 140-2 validated hardware security modules. Data at rest encrypted using AES-256 algorithms. Data in transit encrypted using RSA-2048 asymmetric algorithms.

ITAR and EAR compliance

AWS GovCloud and specialised geographically restricted servers with exclusive access to US nationals are available to meet export controls such as ITAR and EAR

AWS GovCloud and specialised geographically restricted servers with exclusive access to US nationals are available to meet export controls such as ITAR and EAR

Compliance documentation

Security documentation available to meet compliance audit needs, including: Information Security Policy, Access Control Policy, Cryptography Policy, Technology Control Plan

Security documentation available to meet compliance audit needs, including: Information Security Policy, Access Control Policy, Cryptography Policy, Technology Control Plan

Back up

All customer data is backed up and encrypted on a daily basis and can be restored from up to 30 days in the past.

All customer data is backed up and encrypted on a daily basis and can be restored from up to 30 days in the past.

Privacy

Privacy

Privacy

AI security & Data privacy

Private interface

All AI processing runs within controlled boundaries that protect proprietary IP

Data control

Only you can access your data unless explicitly shared. Named contact support available under NDA

Only you can access your data unless explicitly shared. Named contact support available under NDA

Full audit trail

Complete visibility into AI suggestions, accepted changes, and every AI action

Complete visibility into AI suggestions, accepted changes, and every AI action

Data residency

Data stays in specified geography and doesn't leave US territory for export-restricted content

Data stays in specified geography and doesn't leave US territory for export-restricted content

We offer three deployment options to cater to your specific requirements

Compliant Cloud SaaS
Compliant Cloud SaaS

Convenience & Security

Book a demo →

AWS GovCloud SaaS
AWS GovCloud SaaS

Built for ITAR and EAR

Book a demo →

Self-hosted Software
Self-hosted Software

Straightforward Control

Book a demo →

Self-hosted Software
Flow-hosted Software

Completely separated data/servers

Book a demo →

Trusted by tens of thousands of engineers across the fastest-moving engineering teams.

Trusted by tens of thousands of engineers across the fastest-moving teams.

FAQ

Can I store ITAR data on Flow?

Yes, you can store both ITAR and EAR regulated data on Flow If you wish to host export-restricted 'technical data' within Flow, we host servers in the US with access restricted to US nationals. None of this data leaves US territory and is encrypted to FIPS 140-2 standards as stipulated in ITAR § 120.54 (a)(5)(iii). Flow itself does not include EAR-controlled 'technology' or 'software', or ITAR-controlled 'technical data'.

Where is customer data hosted?

We currently have active servers in the US and the UK. We can also host a server in other specific geographies for compliance needs whilst retaining the ease of access given by the SaaS-nature of the platform. If you want to host your own instance, we also support deployments to your own cloud infrastructure. Furthermore we can offer servers with restricted access to specific country nationals for export restriction purposes.

Who can see my technical data?

Your data can only be accessed and controlled by you unless you explicitly share it wider. Our team only gathers the analytics data required to run our services and ensure platform reliability, and access is permitted only where explicitly required. If you require detailed support, we can provide a named contact, and all discussions can be under an NDA. Only US and UK Persons are granted access to our US and UK production systems respectively. For more detail our Privacy and Cookies Policy contains data management and retention policies.

Can I store ITAR data on Flow?

Yes, you can store both ITAR and EAR regulated data on Flow If you wish to host export-restricted 'technical data' within Flow, we host servers in the US with access restricted to US nationals. None of this data leaves US territory and is encrypted to FIPS 140-2 standards as stipulated in ITAR § 120.54 (a)(5)(iii). Flow itself does not include EAR-controlled 'technology' or 'software', or ITAR-controlled 'technical data'.

Where is customer data hosted?

We currently have active servers in the US and the UK. We can also host a server in other specific geographies for compliance needs whilst retaining the ease of access given by the SaaS-nature of the platform. If you want to host your own instance, we also support deployments to your own cloud infrastructure. Furthermore we can offer servers with restricted access to specific country nationals for export restriction purposes.

Who can see my technical data?

Your data can only be accessed and controlled by you unless you explicitly share it wider. Our team only gathers the analytics data required to run our services and ensure platform reliability, and access is permitted only where explicitly required. If you require detailed support, we can provide a named contact, and all discussions can be under an NDA. Only US and UK Persons are granted access to our US and UK production systems respectively. For more detail our Privacy and Cookies Policy contains data management and retention policies.