Trust

Security and privacy, explained plainly.

FlowForce is built in Toronto for sales teams and brokerages who run outbound on real customer data. This page summarizes how we protect that data under Canadian law—and what your team still owns when you send email and SMS.

We are not a law firm. For legal advice on consent, brokerage rules, or US outreach (TCPA), work with your counsel.

Security overview

Encryption, tenant isolation, auth, audit logs, and how we handle incidents.

Read more →

Privacy Policy

What we collect, subprocessors, Google/Microsoft limited use, and your rights.

Read more →

Cookie Policy

Marketing-site cookies, analytics consent, and in-app session cookies.

Read more →

System status

Uptime and incident history for the application.

Read more →

Canada

PIPEDA

The Personal Information Protection and Electronic Documents Actapplies to how we handle personal information in the course of commercial activity. FlowForce follows PIPEDA's fair information principles: accountability, identifying purposes, consent, limiting collection and use, accuracy, safeguards, openness, individual access, and the ability to challenge our compliance.

  • Accountability. FlowForce, Inc. (Toronto) is responsible for personal information under our control. Privacy requests: privacy@flowforce.app.
  • Your leads. For contact data your team uploads, you are generally the organization making decisions about collection and use; we process it as your service provider to run the CRM.
  • Cross-border processing. Infrastructure and subprocessors may operate in Canada, the United States, and other regions. We use contractual and technical safeguards appropriate to the transfer.
  • Breaches. We maintain an incident response process and will notify affected customers and individuals when required by law.
Full PIPEDA section in Privacy Policy →

Canada

CASL

Canada's anti-spam legislation (CASL) governs commercial electronic messages—email and SMS sent to promote a product, service, or business interest. Your organization is responsible for consent before you message prospects through FlowForce. We give you tools to execute responsibly; we do not provide legal consent on your behalf.

  • Record and respect SMS opt-outs (including STOP replies)
  • Do-not-call flags on lead phone numbers for dialer and automated SMS
  • Content screening on outbound email and SMS before send
  • Smart-stop on cadence reply so you do not keep messaging engaged leads
  • Human confirmation on AI-drafted sends where the product requires it
Full CASL section in Privacy Policy →

What FlowForce provides

  • Tenant isolation and role-based access
  • Audit logs for admin and security-sensitive actions
  • Two-factor authentication and passkeys
  • Email HTML sanitization and content screening on outbound email/SMS
  • SMS STOP / unsubscribe handling and do-not-call flags on leads
  • Google and Microsoft mailbox data kept out of third-party AI training paths

What your team provides

  • Obtain valid consent (or another lawful basis) before emailing or texting prospects
  • Honor opt-outs and internal do-not-contact rules
  • Configure who can send, export, or delete workspace data
  • Review cadence and campaign copy for your industry and jurisdiction
  • Provide recording or meeting notices where your province or state requires them

Enterprise & questionnaires

Need a Data Processing Agreement, security questionnaire, or subprocessors list? Email security@flowforce.app. We share what we have today and a clear timeline for formal attestations (such as SOC 2) as we grow.