What ISO Certifications Mean for Your Health Data

By Mary Rendle, Lead Privacy Counsel

You've probably seen companies mention ISO certifications on their websites, but what do they actually mean? And more importantly, why should you care when choosing a period tracking app?

Let's break down what ISO certifications are, why Flo has them, and how it demonstrates our dedication to protecting your reproductive health data.

ISO Certifications: The Gold Standard of Data Protection

ISO certifications are internationally recognized standards that verify a company's commitment to security and privacy. They involve rigorous, independent audits by accredited bodies, ensuring your data is protected by trusted experts.

Think of ISO certifications as a seal of approval from respected, independent experts who verify that a company's data protection practices meet strict international standards and match what they say.

What Getting Certified Actually Involves

As Lead Counsel on the Privacy Team, I’m one of several people responsible for ensuring we meet our audit requirements. I joined Flo last year and recently went through my first audit with the company. What stood immediately was that audit preparation doesn’t begin a few weeks before the auditors arrive—it’s embedded in how we work. Conversations about requirements happen year-round, helping ensure that privacy is built into every feature from the outset.

Now, the audit itself? It’s definitely intense. There are lots of detailed checks and high standards to meet. But what really stood out to me was the teamwork. People across the company—legal, engineering, security, product, and more—came together with incredible focus and care to show that we meet the many controls required to pass. It’s a true cross-functional effort, and it’s impressive to see in action.

So what does one of our audits actually involve? (Spoiler alert: it’s not easy!)

It requires:

• Comprehensive audits: Independent auditors from an accredited certification body examine every aspect of Flo's data protection practices.
• Annual recertification: These aren't one-time achievements. Flo undergoes successful audits every year to maintain our certifications.
• Documented procedures: Every privacy and security process must be thoroughly documented, implemented, and followed.
• Continuous improvement: The certifications require ongoing monitoring and refinement of security practices.
• Full organizational commitment: Everyone at Flo, from engineering to customer support, must follow strict security and privacy protocols.

Additionally, ISO 27701 specifies requirements for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIM). The audit looks at the policies and controls that protect personal information. 

Why Independent Certification Matters

Anyone can make privacy claims. A company can say it takes privacy seriously, encrypts data, or follows best practices. But words are easy. Actions are not. Flo obtaining ISO certification is different because it's independently verified by experts who don't work for Flo, confirming our practices meet international standards. This independent validation helps consumers trust our commitment to data protection.

ISO certifications mean that Flo's privacy & security practices are regularly examined by independent experts and confirmed to meet strict international standards through annual audits. 

But most importantly, it means you can track your reproductive health with confidence, knowing that a respected, independent certification body has verified that your data is protected by industry-leading security measures, giving you peace of mind about your health information. Our actions speak louder than words. 

Your body. Your data. 

Want to learn more about Flo's privacy and security practices? 

• "How We Achieved ISO 27701"
• Our Certifications 
• “Flo’s Security Team”