Building trust through transparency
At FlowPoint, we believe the foundation of our success rests on the trust of our clients and the integrity of our service. We regard the privacy and security of your data not only as requirements but as guiding principles that fundamentally shape product development and operations across our business.
To protect your data, we are implementing leading cybersecurity frameworks and standards like Privacy by Design, SOC2, and ISO 27001 to ensure responsible, auditable usage and management of your sensitive information.
We have a dedicated senior DevOps and Security lead whose primary focus is on maintaining privacy, security and compliance. We routinely collaborate with a third-party data security and privacy specialist to improve our understanding and approach, and we ensure awareness across our entire team, fostering a culture of responsibility.
Moreover, we continually monitor and update our security controls for confidentiality, integrity, and availability of our clients’ data and our services.
We only work with industry-leading software vendors for our infrastructure and services like Amazon Web Services and Microsoft because of their high standards and openly published compliance reports.
Even though our infrastructure and services are compliant, FlowPoint itself is on the path to achieving compliance in two complementary areas:
- SOC 2 compliance – reporting controls related to security and privacy.
- Q3 of 2023: SOC2 Type 1 compliance report and penetration test results published to clients
- Q2 of 2024: SOC2 Type 2 compliance report published to clients; achieving full compliance.
- ISO 27001 compliance – standards for information security and asset management
- We are actively working towards these controls now. Time frames for publishing results to our clients are being established and will be shared when available.
Data Privacy Principles
- Clear purpose: We clearly outline the purpose for collecting personal information.
- Clear limits: We use your personal data only for service provision.
- Retention: We store your data only as long as necessary or as mandated by law.
- Accuracy Verification: We verify the correctness of your data before using it.
- Ability for Correction: We provide mechanisms for you to correct your information.
- Access: We provide you access to your personal data stored in our systems.
- Approved Collection Methods: We collect personal data through lawful and ethically approved methods.
- Explicit consent for collection of personal information: We seek your explicit consent before collecting personal data.
- Appropriate security controls for personal data: We apply robust security measures to protect your data at all times.
Data Security Principles
Our data security strategy is rooted in internationally well respected cybersecurity frameworks. We have aligned our security measures with the stringent guidelines outlined in AICPA SOC2 and ISO 27001 standards. Our methodology towards data security can be summarized as follows:
- Risk Assessment: We conduct regular and comprehensive risk assessments to identify and analyze potential threats to our information systems. We perform annual independent penetration testing.
- Asset Management: We maintain a detailed inventory of all our information assets, which is a crucial first step in protecting them.
- Access Control: We manage access to our information on a need to have basis, ensuring that only authorized personnel can access sensitive data.
- Cryptography: We apply cryptographic controls for the protection of sensitive information, in storage and in transit.
- Physical Security: We protect our physical premises and infrastructure from unauthorized access and environmental threats.
- Operations Security: We have defined operational procedures and responsibilities to manage and secure our systems.
- Communications Security: We protect information networks and its supporting information processing facilities.
- System Acquisition, Development and Maintenance: We ensure security is integrated in our system lifecycle, from acquisition or development, through to maintenance.
- Supplier Relationships: We manage risks associated with third-party access to our systems and data.
- Incident Management: We have established a robust incident response plan that allows us to quickly react to and recover from security breaches.
- Business Continuity: We maintain comprehensive business continuity plans to ensure our operations can continue in the face of disruption, including cyber threats.
Compliance: We respect and comply with applicable legal, regulatory, and contractual requirements related to our information security systems.
These links will provide you with detailed info across legal and compliance related to our security and privacy.
These links will become available over the balance of this year (2023) and early next year as we work to complete our certifications.
In the meantime, we are happy to provide you with a confirmation letter of our SOC2 proceedings upon request. We do this upon request because each letter is sent from our SOC2 provider directly to your company. If you’d like to receive a confirmation letter, please contact firstname.lastname@example.org.
SOC2 Audit Reports & Certificates
ISO 27001 Audit Reports & Certificates