Zero-Knowledge Architecture

Flowsta staff physically cannot access user private data.

How It Works

Flowsta uses two Holochain DNAs with different access models:

Identity DNA (Public)

Stores publicly readable profile data:

• Display name
• Profile picture
• Agent public key
• Agent links (identity attestations)

Private DNA (Encrypted)

Stores encrypted private data:

• Email address
• Recovery phrase backup
• Session data
• OAuth activity logs
• 2FA configuration

All Private DNA data is encrypted client-side using keys derived from the user's password via PBKDF2. The encryption happens in the user's browser before data reaches Flowsta's servers.

Encryption Flow

What Flowsta Cannot Access

Data	Access
User passwords	Never sent to server (hashed client-side)
Email addresses	Encrypted with user's key
Recovery phrases	Encrypted with user's key
Session details	Encrypted with user's key
Private profile data	Encrypted with user's key

What Flowsta Can Access

Data	Purpose
Display name	Public profile (user chose to make public)
Profile picture	Public profile
Agent public key	Identity verification
OAuth consent records	Audit trail (which apps user authorized)
Hashed email lookup	Allow login by email (hash only, not plaintext)

Key Derivation

The recovery phrase deterministically generates the user's keypair. Combined with their password for encryption key derivation, this means:

• Users can restore their identity from the recovery phrase alone
• No key escrow or key recovery service needed
• Flowsta never sees the recovery phrase (encrypted before storage)

Implications for Developers

When you receive user data through OAuth:

• Public data (display name, username, DID, agent key) is readable by Flowsta
• Email is only shared if the user explicitly grants the email scope
• No data mining - Flowsta cannot analyze user private data for any purpose

Next Steps

• Data Portability - How users export their data
• Sessions - Token management and lifetimes
• OAuth Security - Security best practices for developers