Subprocessors
Third-party services that process data on behalf of HiveFlow. All subprocessors have executed Data Processing Agreements (DPAs) with HiveFlow.
Last updated: May 18, 2026 · Subscribe to security@hiveflow.ai for change notifications.
| Subprocessor | Purpose | Data Processed | Location | DPA |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Object storage (S3), LLM inference (Bedrock) | User files, LLM prompts/responses | US West (Oregon, us-west-2) | ✓ |
| MongoDB Atlas | Primary database | User accounts, workflow definitions, execution history, encrypted credentials | AWS us-west-2 (dedicated cluster) | ✓ |
| Anthropic | LLM provider (Claude models) | Workflow prompts and responses | United States | ✓ |
| OpenAI | LLM provider (GPT models) | Workflow prompts and responses | United States | ✓ |
| Google Cloud | LLM provider (Gemini), OAuth authentication | Workflow prompts, OAuth tokens | United States | ✓ |
| Railway | Backend API hosting | All API traffic (processing only, not storage) | US West | ✓ |
| Vercel | Frontend static hosting, CDN | Static assets only — no client data stored | Global Edge Network | ✓ |
| Redis (managed) | Session cache, real-time state | Session tokens, temporary execution state | Co-located with backend | ✓ |
| E2B | Sandboxed code execution | User code, execution inputs/outputs | Multi-region | ✓ |
| GitHub | OAuth provider, source code hosting | OAuth tokens, user profile (name, email) | United States | ✓ |
Data Flow Principles
Orchestration vs. Processing
HiveFlow orchestrates workflows — it routes data between services but minimizes persistent storage. Client credentials are encrypted at rest and decrypted only in-memory during execution.
LLM Data Handling
When using customer-provided API keys, prompts are sent directly to the LLM provider. HiveFlow tracks token usage for billing but does not persist prompt/response content in logs.
No Training on Your Data
HiveFlow does not use customer data to train models or improve services. Your workflows, documents, and execution results belong to you.
Notification of Changes
We provide 30 days advance notice before adding new subprocessors. Enterprise customers can object to changes per their DPA terms.