For Clinicians
Manage subscription Try Flo today
Product
Product
    Product
  • Tracking cycle
  • Getting pregnant
  • Pregnancy
  • Help Center
  • Flo for Partners
  • Anonymous Mode
  • Flo app reviews
  • Flo Premium New
  • Secret Chats New
  • Symptom Checker New
Health Library
Health Library
    Health Library
  • Your cycle
  • Health 360°
  • Getting pregnant
  • Pregnancy
  • Being a mom
  • LGBTQ+
  • Quizzes
Calculators
Calculators
    Calculators
  • Ovulation calculator
  • hCG calculator
  • Pregnancy test calculator
  • Menstrual cycle calculator
  • Period calculator
  • Implantation calculator
  • Pregnancy weeks to months calculator
  • Pregnancy due date calculator
  • IVF and FET due date calculator
  • Due date calculator by ultrasound
About
About
    About
  • Medical Affairs
  • Science & Research
  • Pass It On Project New
  • Privacy Portal
  • Press Center
  • Flo Accuracy
  • Careers
  • Contact Us
For Clinicians
For Clinicians
Manage subscription

How Flo's Security Team Protects Your Data: Behind the Scenes

By Laure Lydon VP of Security & Infrastructure

Ever wonder what actually happens behind the scenes to keep your reproductive health data secure? Privacy policies talk about "security measures" and "protection protocols," but what does that really look like day-to-day?

I lead Security at Flo Health, bringing together multiple teams to protect the data of millions of people who rely on the world’s most downloaded women’s health app. I’m responsible for defining and driving our security strategy and governance, ensuring we maintain the highest standards of protection across everything we build and operate.

My focus is on making sure security and privacy are not siloed, but embedded into every part of Flo - from how we design and launch features, to how we detect and respond to threats, to how we partner with third parties. This means aligning people, processes, and technology to stay ahead of evolving risks while enabling the business to move fast and innovate safely.

For me, this goes beyond controls or compliance. It’s about earning and maintaining your trust - by protecting some of the most personal and sensitive information about your body, your health, and your life, every single day.

Let me take you inside how Flo's Security and Privacy teams work to protect all the millions of people who use our app worldwide.

Building Security Into Every Feature: Product Security

Security at Flo doesn’t start after a feature is built - it starts from the very first design discussion. Our Product Security team works alongside engineers and product managers to ensure that every feature is secure by design and by default.

We support teams with threat modelling and security assessments, helping identify how a feature could be misused and what protections need to be in place early on. This proactive approach means risks are addressed during design and not after release.

Our work continues throughout development. We partner with engineers to identify and eliminate vulnerabilities, lead security testing including internal reviews and external penetration tests, and ensure findings are clearly communicated and prioritised for remediation. We also run Flo’s private bug bounty programme in partnership with HackerOne, working with trusted security researchers to continuously test our systems in real-world conditions.

Beyond testing, we invest in building secure engineering practices at scale. We create and maintain secure coding training and awareness resources, helping teams make better security decisions every day.

By embedding security into how products are designed, built, and improved, we enable Flo to innovate safely, so every feature you use is developed with your security and privacy in mind.

Around-the-Clock Monitoring and Incident Response

Our systems are monitored 24/7, with automated systems constantly scanning for anomalies and threat detection algorithms analyzing network traffic for potential issues. Our intrusion detection systems monitor for unauthorized access attempts, and log analysis tools correlate events across systems to identify potential security issues early.

We actively respond to threats with security engineers analyzing alerts, investigating suspicious patterns, and responding to potential concerns. Most days, everything is normal. But we're always prepared for the days when it's not.

Flo’s security team regularly conducts incident response drills simulating realistic attack scenarios to evaluate our detection speed, containment, and recovery processes. These exercises test our communication protocols, verify backup restoration, and help us identify areas for improvement in our response plan.

These drills are valuable because security incidents don't announce themselves politely. When an actual incident occurs, there's no time to figure out who does what. Muscle memory matters because practiced teams respond faster and make fewer mistakes under pressure.

Privacy by Design and Vendor Security

The Privacy team reviews Data Protection Impact Assessments (DPIA) before launching new features. This review occurs during the design phase, assessing data collection necessity, privacy risks, and mitigation strategies to ensure privacy is integrated from the start.

No feature launches without this review. I've seen feature ideas delayed or scrapped because privacy requirements weren't met. That's how it should be. Privacy and security aren’t  negotiable.

Any third-party service that processes user data goes through a rigorous security assessment because we don't outsource our security standards. Instead, we review the security posture, certifications, penetration testing results, and incident response history of our service providers against our own policies. We examine their data retention policies, encryption implementations, and access controls. We verify their compliance with relevant regulations. We negotiate data processing agreements with strict security requirements. If a vendor's security practices don't meet our standards, we find a different vendor.

What You Don't See: Technical Protection in Action

Every time you open Flo, multiple security layers protect your data.

First, the most current Transport Layer Security (TLS) encrypts data traveling between your phone and our servers. End-to-end encryption protects data at rest while access controls ensure only authorized systems can read your information. We use anomaly detection to watch for unusual patterns in our systems, and multi-factor authentication protects administrative access.

For Anonymous Mode users, we've implemented Oblivious HTTP via Cloudflare's relay. This means your health data and app usage aren't connected to your identity. Your data is encrypted with post-quantum cryptography (protecting against future quantum computing threats and attacks) and is isolated from identifiers such as your name or email. These technical implementations provide real protection.

Continuous Vigilance

Our Data Protection Officer, Sue Khan, and I lead teams that understand the unique importance of reproductive health data. This isn't a compliance checklist for us. It's personal.

Threat landscapes evolve. New vulnerabilities emerge. Attack techniques become more sophisticated. Regulations change. We adapt constantly. We invest in new security technologies. We maintain connections with security researchers globally. We strive to stay ahead of threats rather than reacting to them.

Privacy and security at Flo are the result of dedicated work, technical expertise, and unwavering commitment to protecting your reproductive health data.

Your body. Your data.

Related Resources: