FlowPilot observes — it never acts.
The product is engineered around a single principle: provide deep operational visibility into CRM ecosystems without ever accessing customer-level sensitive data or performing privileged actions.
Read-only architecture
FlowPilot only reads operational metadata. No write operations are ever issued against Salesforce.
No PII policy
Names, emails, phones and customer profiles are never collected, transmitted or stored.
Aggregated metrics model
Only counts, deltas, latencies and health scores are persisted — never payloads.
Secure credential handling
Credentials are encrypted at rest and scoped to the minimum required API permissions.
Encryption standards
TLS in transit; AES-256 at rest. Secrets isolated from frontend bundles.
Least privilege approach
Read-only scopes only. Send, modify and execute permissions are explicitly denied.
Architecture
Salesforce Marketing Cloud
Source system
Read-Only Connector
Metadata extraction · no payloads
FlowPilot Observability Core
Health scoring · anomaly detection
Operational Dashboard
No PII · no campaign data
Permissions model
Allowed (read-only)
- Journey Read
- Automation Read
- Tracking Read
- Data Extension Read
- Aggregated metrics read
Denied
- Send Email
- Modify Journeys
- Execute Automations
- Write Data Extensions
- Access customer profiles
Audit-ready philosophy: every action FlowPilot takes is observable, deterministic, and bounded by the read-only scopes above.