Zero-Knowledge Architecture

Flowsta staff physically cannot access user private data.

How It Works

Flowsta uses three Holochain DNAs with different access models:

Identity DNA (Public)

Stores publicly readable profile data:

Display name
Profile picture
Agent public key
Agent links (identity attestations)

Private DNA (Encrypted)

Stores encrypted private data:

Email address
Recovery phrase backup
Session data
OAuth activity logs
2FA configuration

All Private DNA data is encrypted client-side using keys derived from the user's password via PBKDF2. The encryption happens in the user's browser before data reaches Flowsta's servers.

Signing DNA (Public)

Stores signatures created by Sign It:

Ed25519 signatures over SHA-256 file hashes
Signing intent (Authorship, Approval, Witness, Receipt, Agreement)
Content rights manifests (license, AI training policy)
Perceptual hash bands (for fuzzy matching of modified files)
Revocation entries (signed by the original signer)

Signatures are public and permanent by design — that's how verification works. Nothing on this DNA contains PII. See Sign It for details.

Encryption Flow

Encryption flow showing client-side encryption in the browser, Flowsta server receiving encrypted data it cannot decrypt, and storage on Holochain DHT

What Flowsta Cannot Access

Data	Access
User passwords	Never sent to server (hashed client-side)
Email addresses	Encrypted with user's key
Recovery phrases	Encrypted with user's key
Session details	Encrypted with user's key
Private profile data	Encrypted with user's key

What Flowsta Can Access

Data	Purpose
Display name	Public profile (user chose to make public)
Profile picture	Public profile
Agent public key	Identity verification
OAuth consent records	Audit trail (which apps user authorized)
Hashed email lookup	Allow login by email (hash only, not plaintext)

Key Derivation

Key derivation from BIP39 recovery phrase through HMAC-SHA256 to Ed25519 keypair producing agent public key, DID, and signing key

The recovery phrase deterministically generates the user's keypair. Combined with their password for encryption key derivation, this means:

Users can restore their identity from the recovery phrase alone
No key escrow or key recovery service needed
Flowsta never sees the recovery phrase (encrypted before storage)

Implications for Developers

When you receive user data through OAuth:

Public data (display name, username, DID, agent key) is readable by Flowsta
Email is only shared if the user explicitly grants the email scope
No data mining - Flowsta cannot analyze user private data for any purpose

Next Steps

Data Portability - How users export their data
Sessions - Token management and lifetimes
OAuth Security - Security best practices for developers

Zero-Knowledge Architecture ​

How It Works ​

Identity DNA (Public) ​

Private DNA (Encrypted) ​

Signing DNA (Public) ​

Encryption Flow ​

What Flowsta Cannot Access ​

What Flowsta Can Access ​

Key Derivation ​

Implications for Developers ​

Next Steps ​