Flow Studio Responsible AI

Last updated: 2026-04-13
Owner: Flow Studio Solutions

1. Our approach

Flow Studio MCP is built on privacy-by-design and data minimization principles. It provides tools that AI agents can call to work with Microsoft Power Platform APIs using your delegated consent.

Flow Studio MCP is a third-party service. It is not built, endorsed, or operated by Microsoft. It connects to Microsoft Power Platform APIs subject to your organisation’s Microsoft policies, DLP rules, RBAC, and the permissions granted to the signed-in account.

2. What Flow Studio does not access

Flow Studio MCP requests only the Power Platform scopes needed to read and manage flows.

Flow Studio MCP does not request mailbox, calendar, OneDrive, SharePoint file, Teams chat, or broad Microsoft Graph content scopes for the agent request path.

Flow Studio does not store connector secrets. Runtime payloads may be fetched transiently only when a user or agent explicitly asks to inspect run details for debugging.

See the Security Architecture Review for the full authentication model and scope details.

3. AI agent transparency

Flow Studio MCP provides tools, not autonomous AI.

When your AI agent, MCP client, or Copilot-style tool calls Flow Studio MCP:

• The call is made using your delegated Microsoft consent.
• The call remains subject to Microsoft tenant controls, RBAC, and DLP.
• The AI client decides which tool to call and when.
• Flow Studio executes the requested operation through structured tools.
• Flow Studio MCP does not run a server-side large language model for these requests.

4. Error data and service improvement

Flow Studio may analyse MCP tool-call error patterns to improve reliability and agent guidance.

This may include:

• Common API error codes
• Tool names
• HTTP status codes
• Error message patterns
• Malformed input shapes

This does not use connector secrets, run output payloads, or business content inside your flows for AI model training.

Flow Studio does not send your customer data to third-party AI models for training.

5. Human control

Flow Studio MCP is designed so users remain in control:

• Microsoft consent is granted through standard Microsoft OAuth flows.
• Access can be revoked through Microsoft or Flow Studio account controls.
• Monitoring and governance caching are enabled only for configured workspaces and features.
• Write operations should be reviewed before applying changes to production flows.
• Tool calls can be logged for auditability, support, and usage review.

We recommend users review and approve agent-driven changes before applying them to production workflows.

6. Third-party AI clients

Flow Studio MCP is a tool provider. The AI clients that call the tools, such as Claude, GitHub Copilot, ChatGPT, Microsoft Copilot Studio, Copilot Cowork, or other MCP clients, are operated by their respective companies.

Flow Studio does not control how those clients process, store, or use the prompts and responses they handle. Review each client’s own privacy, security, and AI policies.

7. Related pages

• Security Architecture Review
• Privacy Policy
• Terms of Service

For responsible AI questions or compliance review requests, contact support@flowstudio.app.