Encrypted cloud infrastructure for food safety and data protection at flowtify

Security & Compliance

flowtify protects your data through audited measures, clear standards, and transparent processes.

Hosting

flowtify protects customer data in line with EU data protection law (GDPR) and German data protection standards. All customer data is stored and processed on Microsoft Azure in the Germany West Central region (Frankfurt am Main). Encryption at rest and in transit, audit-proof records, and role-based permissions protect quality data across all locations. The infrastructure is certified to ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, and BSI C5. Data processing exclusively within the EU. Data processing agreement pursuant to Art. 28 GDPR concluded. Technical and organizational measures (TOMs) are available on request.

Data residency

Data residency: Germany. All customer data is stored and processed exclusively in the Frankfurt region, regardless of where your teams work.

Encryption

All data is encrypted at rest. Transmission occurs exclusively over TLS-encrypted connections from version 1.2 onwards. Mobile apps additionally use SSL pinning to prevent man-in-the-middle attacks.

Audit trail

All changes to data are recorded continuously in the transaction log. Changes are only possible through system-authorized transactions. Undocumented changes to data are not possible.

Backups

Automated database snapshots every six hours. Backups are stored in the same EU data center and are subject to the same security standards as production data. Additional daily backups in a georedundant data center of an alternative provider, more than 200 kilometers away. A second safety net, independent of the primary hosting provider.

Availability

Measured availability of 99.97 percent. Contractually guaranteed system availability of 98.5 percent on annual average, including maintenance. The platform is available for use 24 hours a day, 365 days a year.

Offline capability

flowtify HACCP App: Checklists and documentation functions remain available for up to 48 hours without an internet connection, starting from the last synchronization. The app automatically synchronizes in the background every 30 seconds. The 48 hours are a safety net for exceptional cases. Completed tasks are stored locally with the timestamp of completion and automatically synchronized with our servers when the connection is reestablished, including a separate synchronization timestamp for complete traceability.

flowtify AUDIT: Once loaded onto the mobile device, audits can be conducted entirely offline, including photos and assessments. An internet connection is required for the result calculation. Even without a calculated result, a debriefing can be conducted directly afterwards, entirely offline. The debriefing report is automatically synchronized when the connection is reestablished.

Penetration tests

Annual penetration tests by independent providers following publicly available standards from BSI, OWASP, and NIST. The tests cover application security, application infrastructure, web applications, and web services.

Authentication

Support for SAML 2.0, OAuth, and Single Sign-On (SSO). LDAP integration for efficient permission management possible. Integration with corporate Identity Providers (IDP) enables secure and centralized management of user identities. Role-based permissions down to individual function level.

GDPR-compliant data deletion

Standard retention period for documentation data: two years. Optionally extendable individually after prior written agreement. After the retention period expires, data is automatically and completely deleted. At the end of the contract, all personal data is permanently removed at the customer's request.