FlowCrypt Workspace Key Manager Privacy Policy

This privacy policy explains how FlowCrypt collects, processes, and protects information through its Workspace Key Manager for Google Workspace Client-Side Encryption (CSE). Delivered as a managed service hosted and maintained by FlowCrypt, the Workspace Key Manager functions as a Key Access Control List Service (KACLS), enabling client-side encryption of your data within Google Workspace.

Our Commitment to Your Privacy

FlowCrypt is committed to privacy and security. The Workspace Key Manager lets your organization manage its own encryption keys and encrypted data. We function solely as a key management service provider, never as a processor or recipient of your confidential data in plaintext.

What Information We Process

The FlowCrypt Workspace Key Manager processes information related to encryption key operations, not your actual content.

• Encryption Keys: We handle Data Encryption Keys (DEKs) from Google Workspace clients, which are used to encrypt your content (e.g., emails, documents). We encrypt these DEKs using your organization’s Key Encryption Keys (KEKs), which are derived from your Master Key. We then return the encrypted DEKs to Google Workspace for storage. For decryption, we decrypt these DEKs and return them to the client. Crucially, the Workspace Key Manager never accesses your Google Workspace content.
• Authentication & Authorization Tokens: We process tokens from Google Workspace and your Identity Provider (IdP) to verify that key operation requests are legitimate and from authorized users. These tokens are used only during request handling and are not stored.
• Key Operation Metadata: We may generate metadata about key operations (e.g., timestamps, operation type, user ID) for logging, auditing, and performance monitoring.

How We Use Information

Information processed by the Workspace Key Manager is used strictly for:

• Enabling Google Workspace CSE: Facilitating the encryption and decryption of DEKs.
• Authentication & Authorization: Verifying authorized access for key operations.
• Logging & Auditing: Creating logs for your organization’s security and compliance (controlled by your deployment).
• Performance & Stability: Monitoring service performance.

Data Location and Control

FlowCrypt deploys, hosts, and operates the Workspace Key Manager as a managed service within FlowCrypt’s secure cloud infrastructure on Amazon Web Services (AWS). In this model, we manage the Master Key securely for your organization within our controlled environment, utilizing industry best practices for key management.

Data Sharing and Disclosure

The FlowCrypt Workspace Key Manager does not share any processed information with third parties, except as legally required or as configured by your organization (e.g., IdP integration, logging systems). Any third-party services utilized by FlowCrypt to provide the service (e.g., cloud infrastructure providers) are subject to strict security and privacy agreements, and are selected to ensure the highest level of data protection.

Data Retention

Information is processed transiently for key operations. Logs are retained according to our standard operational procedures, which are designed to support auditing and operational needs, and can be configured to meet customer requirements where applicable. We do not retain data from your instance unless specified in a managed service contract.

Security Measures

The Workspace Key Manager is designed with robust security, including:

• Secure Key Management: Support for HSMs/KMS (e.g., PKCS#11, KMIP-1.0) for Master Key storage. We implement our own secure key management infrastructure for your Master Key.
• TLS/SSL Encryption: Secure communication (HTTPS) for all interactions.
• Authentication & Authorization: Strict request validation and integration with your IdP.
• Deployment Security: Hosted in FlowCrypt’s secure infrastructure on Amazon AWS with multiple layers of protection.

Your Responsibilities

• Identity Provider Configuration: Providing and managing your own Identity Provider (IdP) and ensuring it is correctly configured for integration with FlowCrypt’s service.
• Compliance: Ensuring your use of the FlowCrypt service meets your organization’s legal and regulatory requirements. FlowCrypt is responsible for the security and compliance of the underlying infrastructure.

Regulatory Information

FlowCrypt complies with applicable data protection laws, including the General Data Protection Regulation (GDPR), where relevant. For more information about our compliance practices, please contact us at human@flowcrypt.com.

Changes to This Policy

FlowCrypt reserves the right to review and update this Privacy Policy at any time, in accordance with applicable laws.

Last Updated: July 18, 2025

Contact Us

For questions about this policy, please contact us at human@flowcrypt.com.