Health Library
Health Library

The Intersection of Femtech and data privacy: A Deep Dive with Flo's DPO & VP of Privacy, Sue Khan

"Put simply, if users don’t trust femtech services, they won't use them. Privacy and Security should be a foundational part of the user experience."

Sue Khan
VP of Privacy & DPO

What steps has Flo taken to ensure user Privacy and Security?


Privacy and security is embedded in the core of Flo. One significant step we've taken is the introduction of our 'Anonymous Mode' feature aimed at empowering our users to access medically credible information without anxiety or concern. As of today, Flo is the first female health app to pioneer this innovative solution. Flo’s Anonymous Mode has since been recognized as one of Fast Company’s 2023 World Changing Ideas, TIME’s Best Inventions of 2023, and won the IAPP’s Privacy Innovation Award.

We believe in sharing our advancements with the wider femtech community and beyond. That's why in June 2023, Flo took a significant step by open-sourcing the technology behind its Anonymous Mode feature, sharing a part of its intellectual property (IP) with the global femtech ecosystem. Flo also integrated an even deeper layer of privacy protection by adding post-quantum cryptography into the feature. We regularly collaborate with our Privacy and Security Advisory Board, which we launched last year, in an effort to stay at the forefront of privacy and data security. 

Most recently, we are thrilled to share that we’ve achieved another milestone by being the first period and ovulation tracker to achieve dual ISO 27701 (Privacy) and ISO 27001 (Security) Certifications  - the gold standard for privacy and security. This achievement is an acknowledgement that privacy is indeed embedded within Flo’s organisation and is a testament to Flo’s commitment to safeguarding user data in accordance with the most stringent global privacy standards.


From your perspective, why do you believe strong privacy and security standards are essential for femtech products and services?


Put simply, if users don’t trust femtech services, they won't use them. Privacy and Security should be a foundational part of the user experience. Users should have access to services and insights that can help to manage their health, without concern for their privacy. 

Strengthening both privacy not only enhances user comfort, but also empowers our users with greater choice and control over their data, ultimately leading to greater transparency regarding how their data is processed.

Beyond this, privacy and security serve as foundational pillars in the world of femtech. Given the particularly sensitive nature of health data, striking a balance between innovation and the establishment of strong implementation of a control and compliance framework is essential.

What steps would you advise companies within the femtech industry to take when initiating their journey towards bolstering data protection measures?


  • Understand your context: Female health is an issue of global significance. It is highly personalized, and in some cases even politicized. Appreciating this context, and the meaningful work you do as a femtech company, while also recognising the trust that users are placing in you to manage their data, is a critical first step. When you acknowledge this, robust privacy and security is not just nice to have, it’s a must. 
  • Engage with your users: A constant dialogue with users through feedback mechanisms or quantitative user research is crucial. What do your users want from you? What matters to them? It’s great to be armed with this information when considering enhancing your privacy efforts. 
  • Know the data: ensure you have a record of the data that your organisation processes and why? Do you have a legal basis to process that data? Are you users informed? You cannot start to apply data protection measures without fully understanding these fundamentals across your business.
  • Leadership buy in: it’s critical that your organisation firstly recognises the responsibility it has when handling sensitive information belonging to its users. This recognition comes from the top and should be encouraged and supported by your leadership team. 


How does it feel to have recently achieved the Privacy ISO 27701 certification, in addition to the Security ISO 27001 certification? What were your secrets to success?


Receiving yet another ISO certification is a huge achievement for us at Flo. It's a testament to our unwavering commitment to prioritizing privacy and data protection for our users. The path to achieving this wasn’t easy, but it was worth it. We tested ourselves and didn’t mark our own homework. Independent auditors examined us against robust privacy ISO 27701 controls and standards, and confirmed that privacy is indeed embedded within Flo. 

What did we validate? 

  • Privacy and security by design and default is applied at Flo
  • Flo’s highly motivated cross-functional teams prioritize privacy and security 
  • Users have control of their data and their rights are respected

Most importantly, we continue to maintain trust with our users who depend on Flo to manage their health. 

Our secret to success? We understand that Privacy is a foundational expectation for consumers and businesses alike, and our commitment to strive for excellence in this domain is stronger than ever. 

How does ISO 27001 differ from ISO 27701?


The privacy and security standards were created by the International Organization for Standardization (ISO), which provides a framework and guidelines for establishing, implementing and managing an information security and privacy management system. Audits are independent and internationally recognised. 

ISO 27001 defines the requirements of an information security management system (ISMS), covering 14 domains of security to ensure all areas are adequately assessed. 

ISO 27701 provides a framework for organizations to manage and demonstrate compliance with privacy laws and regulations and is designed to help organizations establish and maintain effective privacy management practices, ensuring the protection of personally identifiable information.

What does achieving these dual ISO certifications mean for your users? Why should they care? 


Achieving dual certifications promises our users a number of benefits:

  1. GDPR Compliance: GDPR (General Data Protection Regulation) is a comprehensive data protection law in the European Union (EU) that sets strict guidelines for how companies handle personal data. By achieving these certifications, Flo cements its adherence to GDPR requirements, providing a deeper layer of assurance to our users that all data is being handled in compliance with this regulation.
  2. Privacy by Design: The concept of "privacy by design" means that privacy considerations are integrated into every aspect of Flo, from its initial design stages through its entire lifecycle. Achieving dual ISO certifications promises our users that we have implemented robust privacy measures, ensuring that user data is protected by default, rather than as an afterthought. This proactive approach to privacy helps mitigate the risk of data breaches and unauthorized access, enhancing user trust and confidence in Flo.
  3. Transparency and control: Our users also benefit from increased transparency and control over their data. Flo’s adherence to ISO standards means that our users have clear visibility into how their data is collected, processed, and used, empowering them to make informed decisions about their privacy preferences.

Can you outline any considerations or challenges that the industry may encounter when pursuing Privacy ISO 27701? How can they be addressed?


It’s hard work, but it’s worth it. Privacy needs to be embedded within the organisation, and the certification should serve as your final stamp of approval. 

As with Security ISO, use in-house talent where possible to manage this certification, because you need people who truly work with your business processes to understand how your controls can be verified. It makes the audit itself more of a natural conversation. 

The success of both certifications is the combination of people, technology and processes. All of these have their own challenges, but the rewards are great. 


What advice would you offer femtech companies contemplating their first ISO certification?


Embarking on the journey towards ISO certification requires a realistic approach and a significant organizational commitment. Some key considerations to keep in mind:

  • Secure leadership buy-in: Ensure that top management is fully supportive of the certification process and understands its importance for the organization.
  • Define clear policies: Establish well-defined policies and procedures that align with ISO standards and reflect the organization's commitment to quality and security.
  • Promote ownership at all levels: Assign responsibility for implementing and maintaining ISO standards throughout the organization, ensuring accountability across departments.
  • Maintain ongoing risk management: Continuously assess and address risks to information security and quality management to keep processes effective and relevant.
  • Stay adaptable: Remain flexible and responsive to evolving standards and organizational needs, adjusting strategies and processes as necessary.
  • Be prepared: Approach the certification process with thorough preparation, including documentation, training, and readiness assessments to maximize the likelihood of success.


Given the rapid pace of innovation in the femtech sector, how can femtech startups ensure that their data protection practices remain compliant and up-to-date post-certification?


There's a notion that maintaining compliance with ISO 27001 / ISO 27701 becomes more challenging after certification. Achieving accreditation is just the beginning; it takes an ongoing commitment to sustain it through continuous improvement. External auditors conduct annual assessments to ensure compliance, while internally, we monitor and measure the performance of our Information Security / Privacy Management System. It's a continuous process of striving for adherence. Achieving ISO certification is not the endpoint but rather one of many milestones to uphold the highest standards of data protection and privacy.