TopFlow
LearnBuildSecurity
Compliance Framework

Security & Compliance

TopFlow is built with compliance-conscious design principles. Learn how its privacy-first architecture supports GDPR, SOC 2, and industry-specific security requirements for regulated environments.

Overview

TopFlow demonstrates compliance by design—security and privacy features baked into the architecture from day one, not bolted on as an afterthought. As a platform built by a former CISO, it showcases how to build AI systems that meet enterprise security standards.

Privacy-First

All data stored in your browser only. No backend database means no data breach risk. True privacy by design.

Security Controls

12 security validations including SSRF prevention, rate limiting, cycle detection, and input sanitization.

Audit-Ready

Code export generates audit trails. Open source for security review. Compliance documentation built-in.

Compliance Philosophy

TopFlow's approach to compliance is based on four principles:

  1. 1. Data Minimization - Collect only what's absolutely necessary (spoiler: nothing on the server)
  2. 2. User Control - Users own 100% of their data—workflows, API keys, execution history
  3. 3. Transparency - Open source for community security review and audit
  4. 4. Purpose Limitation - Data used only for workflow execution, never for analytics or tracking

This isn't just good practice—it's authentic privacy-first positioning. You can't breach data you never collected.

GDPR Compliance

The General Data Protection Regulation (GDPR) is the EU's comprehensive privacy law. TopFlow's client-side architecture makes GDPR compliance straightforward because no personal data is processed server-side.

GDPR Article 5 Principles
TopFlow aligns with all six GDPR data protection principles
1. Lawfulness, Fairness, Transparency
Data processing must be legal, fair, and transparent

How TopFlow Complies:

  • • No user accounts or authentication required (no personal data collection)
  • • Open source code allows full transparency into data handling
  • • Clear documentation of data flows and storage
  • • Privacy policy in plain language (not legalese)
2. Purpose Limitation
Data collected for specified purposes only

How TopFlow Complies:

  • • Data used exclusively for workflow execution
  • • No secondary use (analytics, advertising, profiling)
  • • No data selling or sharing with third parties
  • • Execution results are ephemeral (not persisted server-side)
3. Data Minimization
Collect only necessary data

How TopFlow Complies:

  • • Zero server-side storage of user data (localStorage only)
  • • No tracking cookies or analytics by default
  • • No user profiles, email addresses, or identifiers
  • • API keys stored locally, never sent to TopFlow servers
4. Accuracy
Data must be accurate and up-to-date

How TopFlow Complies:

  • • Users have direct control over all data (localStorage)
  • • Workflows editable at any time
  • • Version history allows reverting to accurate states
  • • No stale server-side cached data
5. Storage Limitation
Data retained only as long as necessary

How TopFlow Complies:

  • • No server-side retention (data doesn't exist to retain)
  • • Users control localStorage retention via browser settings
  • • Auto-save keeps only last 5 versions (automatic cleanup)
  • • Execution results discarded after streaming to client
6. Integrity & Confidentiality
Appropriate security measures

How TopFlow Complies:

  • • HTTPS/TLS 1.3 for all communications
  • • localStorage encrypted at browser level
  • • SSRF prevention protects against unauthorized access
  • • Rate limiting prevents abuse and DoS attacks
GDPR Data Subject Rights
Because TopFlow stores no personal data server-side, most GDPR rights are inherently satisfied

Right to Access

Users have full access to localStorage via browser DevTools or export feature

Right to Rectification

Users can edit workflows at any time

Right to Erasure

Clear browser storage deletes all data instantly

Right to Data Portability

JSON export/import functionality

Right to Restrict Processing

Users control when workflows execute

Right to Object

No automated profiling or marketing (N/A)

GDPR Workflow Example

TopFlow includes a pre-built template: GDPR Data Access Request Automation. This workflow demonstrates how to handle Article 15 (Right to Access) requests automatically, including data aggregation, PII redaction, and response generation.

SOC 2 Considerations

SOC 2 is a compliance framework for service providers storing customer data in the cloud. While TopFlow stores no customer data server-side, understanding SOC 2 principles helps with enterprise deployment.

SOC 2 Trust Service Criteria
How TopFlow aligns with each of the five TSC
Security (CC1-CC9)
Protection against unauthorized access

TopFlow Implementation:

  • • 12 security validations including SSRF prevention, cycle detection
  • • Rate limiting (10 req/min per IP) prevents abuse
  • • Input sanitization and validation on all user inputs
  • • HTTPS/TLS 1.3 enforced for all communications
  • • Open source for security review and audit

Status: ✅ Well-implemented

Availability (A1)
System accessible when needed

TopFlow Implementation:

  • • Stateless architecture enables horizontal scaling
  • • No database dependencies (can't have database downtime)
  • • Deployed on Vercel Edge Network (global CDN)
  • • Automatic failover and load balancing

Status: ✅ Well-implemented

Processing Integrity (PI1)
Processing is complete, valid, accurate, timely

TopFlow Implementation:

  • • Pre-execution validation prevents invalid workflows
  • • Error handling returns clear, actionable messages
  • • Code export generates production-ready TypeScript
  • • Version history allows auditing workflow changes

Status: ⚠️ Partially implemented (audit logging recommended)

Confidentiality (C1)
Information designated as confidential is protected

TopFlow Implementation:

  • • API keys stored in localStorage (browser-secured)
  • • Keys never logged in error messages or traces
  • • No server-side persistence of sensitive data
  • • BYOK model—users control their own credentials

Status: ⚠️ Good for demo, encryption recommended for enterprise

Privacy (P1-P8)
Personal info collected, used, retained, disclosed appropriately

TopFlow Implementation:

  • • Zero server-side data collection (true privacy-first)
  • • No tracking, analytics, or profiling by default
  • • Users own 100% of their data via localStorage
  • • Open source allows privacy verification

Status: ✅ Exceptional implementation

Enterprise Deployment Recommendations

For organizations pursuing SOC 2 certification with TopFlow:

  • • Add audit logging - Track all workflow executions, validations, and configuration changes
  • • Implement RBAC - Define user roles and permissions
  • • Enhanced monitoring - Set up SIEM integration for security event correlation
  • • Incident response plan - Document procedures for security incidents
  • • Vendor management - Ensure AI providers have SOC 2 reports

HIPAA & Healthcare

The Health Insurance Portability and Accountability Act (HIPAA) governs Protected Health Information (PHI) in the United States. TopFlow's default architecture is not HIPAA-compliant because localStorage encryption doesn't meet HIPAA standards.

HIPAA Requirements
Key compliance challenges and solutions
❌ Encryption at Rest
PHI must be encrypted using FIPS 140-2 compliant algorithms

Issue: Browser localStorage encryption doesn't meet HIPAA standards.

Solution: Deploy with server-side storage using AES-256 encryption or use a secrets management service (AWS Secrets Manager, HashiCorp Vault).

⚠️ Business Associate Agreements
Required with all vendors handling PHI

Issue: AI providers (OpenAI, Anthropic, Google) must sign BAAs before processing PHI.

Solution: Use HIPAA-compliant AI providers or deploy on-premise with local models. OpenAI and Anthropic offer BAAs for enterprise customers.

⚠️ Audit Controls
Record and examine activity in systems with PHI

Status: TopFlow has basic execution logging but needs enhancement.

Solution: Implement comprehensive audit logging with tamper-proof storage. Log all PHI access, modifications, and disclosures.

✅ Minimum Necessary
Limit PHI access to minimum necessary

Status: TopFlow's data minimization principle aligns with this requirement.

No server-side storage means PHI is only accessed during workflow execution.

Healthcare Deployment Path

To use TopFlow for PHI workflows, follow this implementation path:

  1. 1. Sign BAAs with OpenAI, Anthropic, or use on-premise models
  2. 2. Deploy server-side storage with FIPS 140-2 encryption
  3. 3. Implement RBAC - Only authorized clinicians access PHI workflows
  4. 4. Add comprehensive audit logging - Track all PHI access with immutable logs
  5. 5. De-identification workflows - Create templates for removing identifiers
  6. 6. Penetration testing - Third-party security audit required for HIPAA
Important Healthcare Notice

Do not use TopFlow's default configuration for PHI workflows without implementing the recommendations above. Consult with a HIPAA compliance expert before deployment in healthcare environments.

Industry-Specific Guidance

Financial Services
Banking, payments, investment management

Key Regulations: PCI DSS (payments), SOC 2, GLBA, SEC cybersecurity rules

Recommendations:

  • • Multi-factor authentication (MFA) before workflow execution
  • • Transaction signing with cryptographic signatures
  • • Enhanced audit logging with timestamps
  • • Do not process credit card data—use payment provider APIs instead
  • • Generate compliance reports for regulators
Public Sector / Government
Federal, state, local government agencies

Key Regulations: FedRAMP, NIST 800-53, FISMA, state-specific laws

Recommendations:

  • • On-premise deployment for data residency requirements
  • • FedRAMP controls—implement NIST 800-53 security controls
  • • Air-gapped operation for classified environments
  • • Enhanced audit trails for FOIA compliance
  • • Use local AI models—avoid commercial AI providers
Legal Services
Law firms, corporate legal departments

Key Concerns: Attorney-client privilege, confidentiality, ethics rules

Recommendations:

  • • Encryption at rest for client data
  • • Access controls with per-case permissions and Chinese Wall policies
  • • Audit trails for document access and privilege logs
  • • Redaction workflows—use PII detection nodes
  • • Vendor due diligence for AI providers
Education
Schools, universities, EdTech platforms

Key Regulations: FERPA (student records), COPPA (children under 13)

Recommendations:

  • • Age verification—no children under 13 without parental consent (COPPA)
  • • FERPA compliance for student education records
  • • De-identification—strip student identifiers before AI processing
  • • Parental controls to review and delete student data
  • • Transparency about AI usage in educational settings

Compliance Best Practices

1. Know Your Compliance Requirements

Before deploying TopFlow in production:

  • • Identify which regulations apply to your organization and use case
  • • Document specific technical requirements (encryption standards, audit logging, etc.)
  • • Understand data residency requirements (EU data stays in EU, etc.)
  • • Review AI provider compliance certifications (SOC 2, ISO 27001, etc.)
2. Implement Defense-in-Depth

Layer multiple security controls:

  • • Network layer - TLS 1.3, rate limiting, DDoS protection
  • • Application layer - Input validation, SSRF prevention, cycle detection
  • • Data layer - Encryption at rest, secure key management
  • • Monitoring layer - Audit logging, anomaly detection, alerting
3. Document Everything

For audit readiness:

  • • Maintain a data flow diagram showing where data goes
  • • Document security controls and their implementation
  • • Keep version history of compliance-related code changes
  • • Create runbooks for incident response
  • • Generate compliance reports (SOC 2, GDPR, etc.)
4. Use Code Export for Audit Trails

TopFlow's code export feature generates production-ready TypeScript from your workflows. This provides:

  • • Audit trail - Exact code that runs in production
  • • Version control - Commit exported code to git for history
  • • Code review - Security team can review exported TypeScript
  • • Compliance evidence - Show auditors the actual implementation
5. Regular Security Reviews

Maintain security posture over time:

  • • Quarterly - Review access controls, update dependencies, check audit logs
  • • Annually - Penetration testing, compliance assessment, security training
  • • On change - Security review for new workflows or integrations
6. Vendor Management

For AI providers (OpenAI, Anthropic, Google, Groq):

  • • Review their security certifications (SOC 2, ISO 27001, GDPR compliance)
  • • Sign Data Processing Agreements (DPA) or Business Associate Agreements (BAA) as needed
  • • Monitor for security advisories and update API versions
  • • Have backup providers in case of outages or policy changes
7. Train Your Team

Compliance is not just technical:

  • • Train developers on secure coding practices (OWASP Top 10, AI-specific threats)
  • • Educate users on data handling best practices (don't include PII in prompts)
  • • Establish clear policies for workflow creation and review
  • • Create incident response procedures everyone understands

Related Documentation

Security Validations
12 security checks for workflow execution
View Documentation
Security Architecture
Defense-in-depth security layers
View Documentation
Workflows 101
Build secure workflows from scratch
View Documentation
GDPR Automation Workflow
Pre-built template for GDPR compliance
View Blog Post

Next Steps

Continue learning about security features and implementation:

Security ValidationsSecurity ArchitectureBest Practices