For Clinicians
Manage subscription Try Flo today
Product
Product
    Product
  • Tracking cycle
  • Getting pregnant
  • Pregnancy
  • Help Center
  • Flo for Partners
  • Anonymous Mode
  • Flo app reviews
  • Flo Premium New
  • Secret Chats New
  • Symptom Checker New
Health Library
Health Library
    Health Library
  • Your cycle
  • Health 360°
  • Getting pregnant
  • Pregnancy
  • Being a mom
  • LGBTQ+
  • Quizzes
Calculators
Calculators
    Calculators
  • Ovulation calculator
  • hCG calculator
  • Pregnancy test calculator
  • Menstrual cycle calculator
  • Period calculator
  • Implantation calculator
  • Pregnancy weeks to months calculator
  • Pregnancy due date calculator
  • IVF and FET due date calculator
  • Due date calculator by ultrasound
About
About
    About
  • Medical Affairs
  • Science & Research
  • Pass It On Project New
  • Privacy Portal
  • Press Center
  • Flo Accuracy
  • Careers
  • Contact Us
For Clinicians
For Clinicians
Manage subscription

How We Achieved ISO 27701: Behind the Scenes of Flo's Privacy Certification

By Alastair Koch, Privacy Program Lead

Becoming the first and only female health app to achieve ISO 27701 Privacy certification was a major milestone for Flo. It shows our strong commitment to protecting your privacy and building trust with everyone who uses our app.

I joined the Flo in 2023 and am currently the Privacy Program Lead. Since joining, I’ve led the coordination of our ISO 27701 audit on behalf of the privacy team – a process that requires significant cross-functional work, planning, and alignment across the company.

This role gives me a front-row seat to how we deliver on our privacy commitments. It means working closely with stakeholders across every workstream and product area, getting into the details of how things actually operate — from technical controls to day-to-day processes. No stone is left unturned. That level of scrutiny is what maintaining ISO 27701 demands, and it’s how we ensure our standards hold up across the entire business. 

This is no small task. But at Flo, robust privacy is non-negotiable. So let me briefly walk you through what the process looks like for us — and what really goes into earning and maintaining the gold standard of privacy certification!

Why We Pursued ISO 27701

Earning any ISO certification is challenging. What makes ISO 27701 particularly tough — and why so few companies have achieved it — is that it requires you to turn high-level privacy principles into clear, practical actions backed by evidence. 

It’s not enough to say privacy is important — and meeting the standard takes far more than producing documentation. It means weaving privacy into the way the business actually operates, so it becomes part of how decisions are made every day. That requires strong systems and clear governance that don’t just meet high standards now, but continue to stand up as we grow, evolve our products, and support more users around the world. This is exactly why we choose to pursue the certification. As a period tracking app trusted by hundreds of millions of users, we knew it wasn’t enough to simply claim compliance. We have a responsibility to prove it — and show that our standards are strong enough to endure as we grow and evolve.

Starting With ISO 27001

In 2022, we pursued ISO 27001 certification, becoming the first female period and ovulation-tracking app to earn it. ISO 27001 required us to build a comprehensive framework of policies, procedures, and controls covering every aspect of information security.

We had to document everything. Every security process — from how we onboard employees to how we respond to incidents — had to be clearly written down and reviewed. We also had to demonstrate that our technical safeguards meet strict standards, including encryption, access controls, and network security.

And it’s not just about technology. We ensure regular security training across every team at Flo, so everyone receives guidance that’s relevant to their role and responsibilities.

We then had to pass an independent external audit. This process involved months of detailed work across every department at Flo. Auditors from an accredited certification body thoroughly reviewed our practices and tested whether we genuinely met the required standards.

Adding ISO 27701: The Privacy Layer

After establishing a strong security foundation with ISO 27001, we went a step further in 2023 by pursuing ISO 27701.

While ISO 27001 focuses on information security, ISO 27701 focuses on privacy. It builds on the 27001 framework and adds requirements to specifically address privacy management — strengthening how personal data is handled and protected.

Let’s take a look at the key areas covered by ISO 27701:

  • Privacy policies and procedures - How we communicate and maintain our privacy practices
  • Consent management - How we obtain and track user consent
  • Data subject rights - The processes we have to support and uphold all privacy rights, including access, deletion, and portability requests
  • External privacy notices - Ensuring we have clear and transparent privacy practices
  • Third-party data sharing - Managing data sharing with third parties (such as service providers who help us run the app)
  • Data retention and deletion - Making sure we only keep data when we need it
  • Data breach response - Procedures for detecting, managing, and reporting breaches
  • Cross-border transfers - Safeguards for permitted international data transfers 
  • Privacy training - How Flo employees are trained to uphold our privacy requirements & standards

In truth, there is too much that goes into ISO 27701 certification to fit into a single blog post, but let’s take a look at some of the key things we do to deliver it.

1. Data Protection Impact Assessments

One tool we use to assess privacy risks is a Data Protection Impact Assessment (DPIA). This is always undertaken before development begins, and systematically evaluates:

  • What data is being processed (type, sensitivity, volume)
  • Why we need it (purpose, legal basis)
  • How it will be processed (systems, flows, retention)
  • Who has access (roles, permissions, third parties)
  • What risks exist (re-identification, misuse, breach)
  • What mitigations we'll implement (technical and organizational measures)

The DPIA process involves multiple stakeholders, including: engineering (to understand technical implementation), product (to clarify requirements), Privacy (to assess compliance), security (to evaluate security risks), and the Data Protection Officer (to approve the final assessment).

2. Accountability

We’ve built clear accountability for data protection across the whole company - right from the CEO down to each individual employee. That means specific teams and leaders are responsible for making sure your data is handled properly — and that privacy isn’t left to chance.

We organise this work across three pillars:

  • Governance: This is the foundation. It includes maintaining our ISO certifications, setting policies and procedures, running training, carrying out privacy impact assessments, and overseeing how data is managed across the business. In simple terms, this is how we set the rules and make sure they’re followed.
  • Advisory: Teams working at this level support day-to-day decisions. They handle incident response, review new products and content, assess risks, provide legal advice, and review contracts. This ensures privacy is built into what we create and how we operate.
  • Strategic: This level looks ahead, monitoring new laws and regulatory guidance, and tracking industry developments. This helps us stay proactive rather than reactive.

Together, this structure ensures privacy is considered at every stage – from longer term strategy to everyday product decisions.

3. Comprehensive Privacy Policies and Procedures

ISO 27701 required us to clearly document not just what we do, but how we do it.

This includes our processes for collecting data, managing consent, retaining and deleting data, sharing information with third parties, responding to incidents, and notifying users in the event of a breach.

Each procedure had to be detailed and transparent enough for independent auditors to review and confirm that we consistently follow it in practice. Not only this, we have to be able to show these in action, by showing the auditors how they are put into practice.

4. Built-in User Rights

ISO 27701 closely aligns with GDPR and other privacy requirements, meaning we have to show that users can genuinely exercise their data rights in practice. To support this, we built tools directly into the app so users can access their data, update their details, manage consent preferences, and delete their accounts easily.

The scale demonstrates that these systems work. In 2025, nearly 900,000 Flo users exercised their data rights directly through the app — clear evidence that our processes are not only in place, but functioning effectively.

5. Supplier Management

Any service provider that processes Flo user data must meet strict privacy and security standards. This includes entering into formal data processing agreements, undergoing security onboarding assessments, participating in regular reviews or audits, and providing clear contractual commitments about how data is handled and protected.

We cannot maintain our privacy certifications if we work with vendors that do not meet comparable standards, so every partner is expected to uphold the same level of care we apply internally.

6. Continuous Monitoring and Improvement

ISO 27701 isn't a one-time achievement, it is an ongoing achievement. Maintaining certification requires regular internal audits, continuous monitoring through security metrics, formal risk assessments and mitigation plans, incident tracking and analysis, and annual external audits to confirm we still meet the standard.

If our practices fall short, we risk losing certification. This is why continuous improvement is built into our approach.

The audit process involves detailed preparation, documentation review product testing and on-site assessments– ensuring our practices meet the strict standards required for ISO 27701 certification.

People often ask what an ISO audit entails. Here's what it looks like.

Pre-audit preparation can take months - but in truth we focus on it all year round!. We gather documentation, review procedures, ensure all systems are functioning as documented, and conduct internal testing and verification.

Documentation review takes several days. Auditors examine all policies, procedures, and controls. They verify documentation is complete, up-to-date, and comprehensive. They check that procedures map to ISO requirements.

On-site assessment takes several days or even weeks! Auditors interview employees across departments. They test whether documented procedures are actually followed. They examine technical controls and security measures. They review incident logs, training records, and audit trails.

Finding remediation varies in length. Auditors identify non-conformities and suggest optional opportunities for improvements. We can address those opportunities before certification can be granted. Minor issues may be allowed with corrective action plans. Major issues can prevent certification.

Certification decision happens after review. The certification body reviews the audit report. If we meet all requirements, certification is granted. Certification is valid for 3 years but requires annual “surveillance” audits to check any changes that have happened over the last year.

The Hardest Parts

Achieving ISO 27701 was a significant effort, even with strong privacy practices already in place. A few challenges required particular focus: 

  • First: It required embedding privacy consistently across every team. Privacy was already a priority, but certification meant ensuring it was systematically integrated into how all teams operate day to day.
  • Second: The level of documentation was extensive. Every process, control, and safeguard had to be clearly written down and evidenced. That takes time and coordination.
  • Third: Cross-department collaboration was also essential. Privacy management touches engineering, product, legal, customer support, HR, and more. Aligning approaches and maintaining consistency across functions required sustained effort.
  • Fourth: You have to balance openness with confidence. Inviting scrutiny means allowing an expert to question your decisions and probe for gaps — which can be uncomfortable. It’s not always easy to walk a subject-matter expert through complex processes without second-guessing yourself. But staying clear and open to challenge is what ultimately strengthens your privacy and security program and makes it more resilient.
  • Finally: Certification brings ongoing discipline. When timelines are tight, standards still have to be met. ISO reinforces that privacy and security requirements remain non-negotiable, even under pressure.

Beyond Compliance: Setting the Bar Higher

ISO 27701 represents a significant milestone, but it's not the finish line. 

We continue to strengthen our privacy protections by developing features like Anonymous Mode, investing in advanced technologies such as post-quantum cryptography, and expanding our privacy and security teams.

We also share our learnings through white papers and open-source contributions, and actively advocate for higher privacy standards across the femtech industry. For us, privacy isn’t a one-time achievement — it’s an ongoing commitment to raising the bar.

Advice for Other Apps

For other health apps considering ISO certification, here's what we learned.

  • Start early. Building a compliant system takes time. Don't wait until you think you're ready, build privacy into your product. 
  • Get executive buy-in. Privacy management requires resources and leadership commitment.
  • Invest in privacy expertise. Hire dedicated privacy professionals who understand both technical and legal aspects.
  • Make privacy & security everyone's job. Security and privacy can't be the responsibility of just one team.
  • Document as you go. Don't try to write all the documentation at the end. Make it part of your processes.
  • Test before the audit. Internal audits help identify gaps before external auditors arrive.
  • Be prepared to change. Certification audits reveal opportunities for change. Be open to address them.

The Bigger Picture

ISO isn’t about passing an audit. It’s about building a company that can protect personal data as it grows. 

As your business grows, your risk surface expands — emerging technologies, increasing volumes of data, added integrations, new vendors, and heightened regulatory scrutiny. 

Certification pushes you to put real structure behind privacy and security. It requires clear ownership, defined processes, and systems that can handle growth without breaking or creating new weak spots. Instead of fixing problems after they happen, you build disciplines and controls that keep improving over time.

In short, it’s not about checking a box. It’s about proving — internally and externally — that your organization is equipped to protect personal data responsibly, consistently, and at scale.

Your body. Your data.

Related Resources: