About Flow security and the infrastructure
What's Autodesk Flow?
Flow is the industry cloud for media and entertainment built on Autodesk’s Design and Make Platform. It connects workflows, data, and teams across the production lifecycle. Learn more about Flow here.
Information in this topic represents the current view of Autodesk, Inc. and Autodesk assumes no responsibility for updating this information. Autodesk makes improvements and other changes to its products and services, so this information relates to the version of Flow offered at publication date and is for informational purposes. Autodesk makes no express or implied warranties regarding this topic, and the information provided does not create any binding obligation or commitment for Autodesk.
On this page
Introduction
At Autodesk, we know that the security of your data is critical to your studio’s operation. As the industry shifts to the cloud, Autodesk knows that security and service models are more important than ever.
The confidentiality, integrity, and availability of your media files and attachments is at the top of our priority list.
We constantly reassess, develop, and improve our risk management program because we know that the landscape of security is ever-changing.
In this topic, we outline the practices put in place to maintain secure and dependable operation of Flow. If you have additional questions about Flow security, please contact us.
Overview
In addition to the existing Flow Production Tracking data storage, Flow adds a new common Media and Entertainment data model, data storage, and access control model. Flow uses this common data model to deliver new connected capabilities, like Share Cuts to animate in context with Maya.
When you share data from Flow Production Tracking, the data model replicates the metadata and underlying binary data (such as media files) and manages them using a new set of access controls. You configure these access controls when you set up the data sharing.
This topic will outline the security practices of the new data model.
Infrastructure
Data center
Amazon Web Service (AWS)
Flow utilizes AWS resources hosted in the United States. Learn more about Amazon's certifications here.
Cloud storage
When you use connected capabilities, Flow replicates the metadata, media files, and attachments related to shared assets. When using “bring your own bucket” storage configurations, the configured Production environment retains media files and attachments. Autodesk transfers and stores media files and attachments encrypted in line with its encryption and storage policies. Flow stores this metadata within the United States.
Transport
Flow and connected Autodesk applications use TLS 1.2 or higher to encrypt communication, aligning with Autodesk's security policies and practices.
Flow performance
To improve local user experiences, there is a stand-alone plug-in for Maya that supports the creation of a local cache. This cache facilitates the offline use of Flow resources when the user can't connect to the internet. Data cached on the user’s machine is reliant upon the encryption of the local storage system.
Multi-tenancy
The Flow infrastructure is multi-tenanted and uses strict access control for data segregation.
API access
Limited Flow functionality is available through secure API access methods, which enforce the configured access permissions for metadata, media, and attachments.
Operations
Access to production servers
Logical access to production systems is restricted to the Autodesk support and operations team.
Log rotation and retention
The service rotates production logs as required. A separate and centralized logging system retains logs for four weeks.
Key management
The operations team stores keys in an encrypted data repository that only they have access to.
Flow Production Tracking
JWT tokens are used to securely replicate user actions triggered by an authenticated Flow Production Tracking user to Flow, and to replicate changes in Flow to Flow Production Tracking.
Flow Capture
Flow Capture does not replicate media when using connected capabilities. It handles media on behalf of Flow but does not copy any media from Flow Capture to Flow Production Tracking.
Maya
Maya uses Proof of Key Code Exchange (PKCE) for the secure authentication to Flow.
Client-owned S3 storage
Flow Production Tracking
Flow Production Tracking contains a Media Isolation feature.
Media Isolation lets you own and manage S3 buckets to store media files and attachments.
If you have enabled the Flow Production Tracking Media Isolation feature, you need to share the associated credentials with Autodesk for Flow to retrieve media files and attachments from your S3 storage.
Flow
Client-owned S3 storage is not supported in Flow.
Application usage
Authentication
Credentials
Flow requires no additional or distinct accounts. It utilizes existing Autodesk Identity Accounts to authenticate using connected Autodesk applications.
Data handling
Data storage
Flow stores both metadata and media files. As in Flow Production Tracking, the metadata describes the production assets associated with the media (such as cuts and shots).
Flow does not support client-owned S3 storage, but client-owned S3 storage is supported by Flow Production Tracking. When using a client-owned S3 storage option with Flow Production Tracking, Flow stores the metadata and not the associated media. In this configuration, your media files and attachments will be stored in the client-owned S3 buckets owned by you.
When you enable connected capabilities like Share Cuts to animate in context with Maya, this initiates the replication of metadata and media from Flow Production Tracking to Flow.
Metadata and derivatives created by Flow that relate to your media files and attachments is subject to the Autodesk data retention policy.
Data encryption
Data on Amazon S3 is encrypted at rest using 256-bit AES encryption (details at AWS Server Side Encryption). Passwords are hashed and salted. The salt and the resulting hash are persistently stored in our database.
The Flow database is encrypted:
- At rest (for example, when the data written to disk is not being accessed or used)
- In transit (since the communication channels between the database and the application are encrypted)
- When snapshots are taken (for example, database backups)
Access to your data
Your data refers to the data stored in Autodesk products, such as media files, attachments and metadata.
Access to your data is governed by our Terms of Use.
Autodesk product and support teams may access your data in relation to a support request or for product improvement purposes.
Database backups
We take regular snapshots of our database servers multiple times a day. These database snapshots are encrypted at rest on AWS. AWS directly manages backups of media stored on Amazon S3.
Data deletion
The data lifecycle is managed by Flow with appropriate retention and deletion policies in place, aligning with Autodesk policies.
Personal and payment information
Personal information is stored in our internal database. This includes but is not limited to names, email, login, country, industry, invoices. We share limited personal information with external services in accordance with our Privacy Statement. Please refer to our Privacy Statement for more details on how Flow Production Tracking collects, uses, stores and processes personal information.
GDPR
Please refer to Autodesk Data protection and privacy for more details.
Security processes
Governance
We partner closely with the Autodesk Trust team, led by the Chief Trust Officer. We follow Autodesk's security governance model, including regular check-ins and participating in the security champions program.
Audits
We partner with Independent Security Evaluators (ISE) to perform quarterly SAN/CWE controls and OWASP security testing of Flow. Vulnerabilities are remediated within compliance requirements.
Scanning and monitoring
Endpoint detection and intrusion detection systems are installed automatically on servers and containers. The EDR or IDS solutions are monitored 24 hours a day. Anti-virus is installed on servers. Definitions are updated within compliance guidelines.
Vulnerability scans are performed regularly, and vulnerabilities are remediated within compliance requirements.
Information security policy
We align with and commit to Autodesk’s Information Security Policy and Standards.
Incident management
Potential incidents are managed through Autodesk's Security Incident Response Process. Learn more about Autodesk’s incident response process here.
Secure software development
We follow Autodesk’s secure development standards, which include practices such as secure development training, threat modeling, and static and dynamic code analysis.
Human resources
Background checks
Background checks are required, where permitted by law, for employees with access to the computing resources and support systems used by Autodesk teams.
Security awareness
Autodesk employees must affirm the importance of information security as part of new-employee orientation and yearly thereafter. Employees are required to read, understand, and take a training course on the company’s Code of Conduct. The Code requires every employee to conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. Autodesk employees are required to follow the company’s guidelines on confidentiality, business ethics, appropriate usage, and professional standards.
Confidentiality
New employees must sign a confidentiality agreement. New employee orientation emphasizes the confidentiality and privacy of your data. Employees are bound by non-disclosure agreements with Autodesk. Anyone found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, contract, or relationship with Autodesk.
Without limiting or modifying the foregoing, Flow services are provided subject to the applicable terms of use.
Autodesk, the Autodesk logo, and Flow are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. Other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this topic. © 2025 Autodesk, Inc. All rights reserved.