GDPR-compliant with a published DPA

A CRM you can hand to your lawyer.

Field-level encryption. Tenant-scoped keys. An audit log on every mutation. A DPA your legal contact can pull right now. FlowGrid answers vendor reviews with cryptography, not assurances.
Start free — up to 50 recordsSee security details

No credit card · Export your data anytime

FlowGrid on Product Hunt
A populated FlowGrid workspace dashboard with contacts, deals and reports

The questions you keep getting asked

What your buyers and your DPO already want to know.

  • Where does my customer data physically live, and which subprocessors touch it?
  • If your support team can read a contact record while debugging, can they do it without my consent?
  • If you get acquired or shut down, what happens to my data — and how do I get it back?

How FlowGrid answers them

Privacy is a database design decision, not a marketing claim.

Encryption that isolates tenants by default

Field-level AES-256-GCM with tenant-scoped keys.

Every contact field is encrypted at rest. Each tenant has its own key, managed in a key-management service. A workspace's data cannot be decrypted with another workspace's key — not by us, not by an attacker who manages to read the database.

Multi-tenant row-level isolation is enforced at the Postgres layer, so cross-tenant reads aren't a feature flag — they're a database-level impossibility.

FlowGrid audit log showing who accessed a record, when, and exactly what changed.

Audit log built-in

Every mutation, with actor, before-and-after, timestamp.

When something happens to a record, your audit trail records who did it, what changed, and when. Logs are append-only. Workspace admins can export the full trail at any time.

Right-to-be-forgotten requests delete the record and themselves get logged. Your DPO can answer DSAR requests with evidence, not promises.

Data export interface in FlowGrid

Legal paperwork ready

GDPR-compliant with a DPA you can pull right now.

Most vendor reviews stall waiting for the DPA to come back redlined. FlowGrid's DPA is published and ready to read — pull it up and forward it to your legal contact while you're still reading this page.

Subprocessor list is public and current; see /legal/subprocessors for who touches what data and where.

Verifiable, not assumed

We're early. Here's how you can verify us anyway.

How your data is protected

Field-level AES-256-GCM encryption with tenant-scoped keys. Multi-tenant row-level isolation. Every mutation logged.

Read the security details →

Legal & compliance

GDPR-compliant with a Data Processing Addendum. Your legal contact can pull it now — not after a sales call.

Read the DPA →

Built in public

  • v1.2.0 · Jun 10, 2026

    v1.2.0

  • v1.1.0 · Jun 2, 2026

    v1.1.0

  • v1.0.0 · May 2, 2026

    v1.0.0

See full changelog →

Built in public

We don't have customer logos to show you yet.

FlowGrid is early. Instead of borrowed credibility, here's what you can verify yourself:

Honest answers

The questions you'd actually ask.

Forward the DPA. Start free. See it for yourself.

Free up to 50 records, no credit card, full data export at any time. Your legal contact can review the DPA in parallel.
Start free — up to 50 records

See also: security details · read the DPA