For Clinicians
Manage subscription Try Flo today
Product
Product
    Product
  • Tracking cycle
  • Getting pregnant
  • Pregnancy
  • Help Center
  • Flo for Partners
  • Anonymous Mode
  • Flo app reviews
  • Flo Premium New
  • Secret Chats New
  • Symptom Checker New
Health Library
Health Library
    Health Library
  • Your cycle
  • Health 360°
  • Getting pregnant
  • Pregnancy
  • Being a mom
  • LGBTQ+
  • Quizzes
Calculators
Calculators
    Calculators
  • Ovulation calculator
  • hCG calculator
  • Pregnancy test calculator
  • Menstrual cycle calculator
  • Period calculator
  • Implantation calculator
  • Pregnancy weeks to months calculator
  • Pregnancy due date calculator
  • IVF and FET due date calculator
  • Due date calculator by ultrasound
About
About
    About
  • Medical Affairs
  • Science & Research
  • Pass It On Project New
  • Privacy Portal
  • Press Center
  • Flo Accuracy
  • Careers
  • Contact Us
For Clinicians
For Clinicians
Manage subscription

Our Security & Privacy Certifications: Setting the Industry Standard

Flo is the first and only period tracking app with dual ISO 27001 (Security) and ISO 27701 (Privacy) certifications. These internationally recognized standards verify that our security and privacy practices meet the highest global benchmarks, independently verified by third-party auditors.

We don't just claim to care about privacy and security. We prove it.

Our Certifications

ISO 27001 (Information Security Management)

What it is:
ISO 27001 is the world's most recognized standard for information security management. It's issued by the International Organization for Standardization (ISO), an independent body that sets global standards for quality and safety.

What it verifies:
Third-party auditors examined security management processes and controls across all dimensions, including  organisational, physical, people and technological controls – and verified that Flo has implemented comprehensive policies, processes, and safeguards to protect your data against cyberattacks, breaches, and unauthorized access.

When we achieved it:
Flo first achieved ISO 27001 certification in July 2022, becoming the first period tracking app to earn this distinction and transitioned to the latest version of the standard, ISO 27001:2002, in July 2025.

Recertification:
ISO 27001 requires annual surveillance audits and full recertification every three years. 

What is audited:

Auditors examined Flo's entire information security management system (ISMS), including:

  • Information security policies - Documented security standards and procedures
  • Organization of information security - Roles, responsibilities, and governance
  • Human resource security - Employee screening, training, and termination procedures
  • Asset management - How we track and protect data and systems
  • Access control - Who can access what data, and how access is managed
  • Cryptography - How we encrypt data at rest and in transit
  • Physical and environmental security - Data center security and controls
  • Operations security - Day-to-day security operations and monitoring
  • Communications security - Network security and data transfer protection
  • System acquisition, development, and maintenance - Secure development practices
  • Supplier relationships - How we manage third-party security risks
  • Incident management - How we detect, respond to, and recover from security incidents
  • Business continuity - Plans to maintain operations during disruptions
  • Compliance - Adherence to legal and regulatory requirements

What it means for you:
Your data is protected against risks, such as cyberattacks, hacks, data leaks, and theft, at the highest standard possible – by security practices that meet the same international standards used by banks and healthcare providers.

Certificate:
[View our ISO 27001 certificate →]([CERTIFICATE URL OR DOWNLOAD LINK])
 Certification body: [CERTIFICATION BODY NAME]
 Certificate number: [CERTIFICATE NUMBER]
[Verify our certification →]([VERIFICATION URL])

 ISO 27701 (Privacy Information Management)

What it is:
ISO 27701 is the world's most recognized standard for privacy management. It's issued by the International Organization for Standardization (ISO), an independent body that sets global standards for quality and safety.

What it verifies:
Third-party auditors verified that Flo has implemented robust privacy management practices, demonstrating compliance with GDPR and other privacy regulations applicable to Flo. This certification specifically examines how we collect, use, store, and protect your personal data.

When we achieved it:
Flo achieved ISO 27701 certification in January 2024, becoming the first and only period tracking app to earn this privacy certification.

Recertification:
ISO 27701 requires annual surveillance audits and full recertification every three years. 

Why this matters:
ISO 27701 is particularly rare in consumer health apps. Most apps claim to have robust privacy practices; Flo has proven it through independent third-party verification.

Connection to GDPR:
ISO 27701 aligns with GDPR articles and requirements. The standard includes specific controls for:

  • Lawful processing - only using personal data where legally allowed
  • Purpose limitation - using data only for stated purposes 
  • Data minimization - collecting only necessary data for a specific purpose 
  • Accuracy - keeping data up-to-date and correct 
  • Storage limitation - deleting data when no longer needed 
  • Security - protecting data with appropriate safeguards 
  • User rights - access, deletion, portability, and rectification 
  • Privacy by design and default - building privacy into our product and organisation by default 
  • Data protection impact assessments - proactively identifying, assessing, and mitigating privacy risks. 

By achieving ISO 27701, Flo demonstrated that these GDPR principles are embedded throughout our organization—not just stated in policy documents.

What is audited:

Auditors examined how privacy is built into Flo’s product and organisation by default, including through:

  • Privacy policies and procedures - How we communicate and maintain our privacy practices
  • Consent management - How we obtain and track user consent
  • Data subject rights - The processes we have to support and uphold all privacy rights, including access, deletion, and portability requests
  • External privacy notices - Ensuring we have clear and transparent privacy practices
  • Third-party data sharing - Managing data sharing with third parties (such as service providers who help us run the app)
  • Data retention and deletion - Making sure we only keep data when we need it
  • Data breach response - Procedures for detecting, managing, and reporting breaches
  • Cross-border transfers - Safeguards for permitted international data transfers 
  • Privacy training - How Flo employees are trained to uphold our privacy requirements & standards

Why Flo was the first femtech to achieve this:
ISO 27701 requires significant investment in privacy infrastructure - which is exactly why most companies haven’t pursued it. However, millions of women around the world trust us with the most intimate information about their health and well-being. That’s why Flo prioritized this certification because we believe that health data (especially reproductive health data) deserves the highest level of privacy protection.

What it means for you:
Your privacy rights under GDPR and other privacy laws are verified by independent expert auditors and backed by internationally recognized standards.

The Only Period Tracker With Dual Certification

Flo is the first and only period-tracking app to hold both ISO 27001 and ISO 27701 certifications.

What this means:
While some apps may have only one certification (usually ISO 27001 for security), Flo is the only period tracker to have both. We have proven excellence in both security and privacy management through expert third-party audits.

Why dual certification matters:

  • Security alone isn't enough - ISO 27701 aligns with global privacy regulations, demonstrating strong data privacy and protection capabilities, alongside the security requirements of ISO 27001​​
  • Privacy by design - ISO 27701 requires privacy to be built into every feature from the start, not added as an afterthought.
  • Continuous verification - Annual audits ensure we maintain these standards.

Independent verification:
Unlike self-certifications or internal audits, ISO certifications require rigorous examination by accredited third-party auditors. These auditors don't work for Flo. They work for the certification body, which ensures an objective and unbiased assessment against ISO standards. If those standards are not met, we will not be recertified.

Independent Audits & Verification

FTC Settlement Audit by Guidepost (2022)

Background:
In 2022, Flo reached a settlement with the FTC regarding data sharing practices between 2016 and 2019.The FTC raised questions about whether Flo's privacy policy adequately disclosed how data was shared with third parties, including through the Facebook Analytics SDK.

We that SDK – as most apps do – to measure internal performance, such as fixing crashes and improving reliability. None of this data contained our members’ names, addresses, or birth dates. Nor did we share health information with third parties for social media, advertising, or marketing. Nevertheless, we heard our users' concerns and had already chosen to stop sharing information with these third parties altogether in January 2021.

This settlement was not an admission of wrongdoing. We chose to resolve it rather than pursue lengthy litigation –.. because we believed our time and resources were better spent building the protections our users deserved, such as Anonymous Mode.  

What we did next: Rather than move on, we invited scrutiny. Flo voluntarily engaged Guidepost Solutions, a leading independent compliance and investigations firm, to conduct a comprehensive privacy audit.

What was audited:
Guidepost Solutions examined Flo's:

  • Data collection and processing practices
  • Privacy policy accuracy and completeness
  • User consent mechanisms
  • Data sharing with third parties
  • Privacy controls and safeguards
  • Compliance with FTC settlement terms

Audit findings:
 “Data privacy and security are heavily emphasized at Flo as being at the core of their operations.” - Guidepost Solutions audit report

"Flo does not have any gaps or weaknesses in its privacy practices.” - Guidepost Solutions audit report

What this demonstrates:
Following the FTC settlement, we did more than simply promise to meet industry standards. We invited an independent firm to verify our practices, and the audit confirmed that our privacy protections meet the standards we claim to uphold.

Learn more about our privacy journey

Ongoing Security Testing

We actively identify vulnerabilities through continuous security testing rather than waiting for problems to arise.

Penetration Testing

What it is:
Penetration testing (or "pen testing") is when we hire external security experts to identify vulnerabilities in our systems before malicious actors do. This proactive testing helps us strengthen our defenses and continuously improve our security position.

Vulnerability Assessments

What it is:
A vulnerability assessment involves regular automated and manual scans of our systems to identify known security vulnerabilities, outdated software, and configuration issues, so they can be addressed before they pose a risk.

Continuous Monitoring

What it is:
24/7 automated monitoring for security threats, unusual activity, and potential breaches, allowing us to respond quickly and minimize impact.

ISO Certification Audits

What they are:
To maintain ISO 27001 and ISO 27701 certifications, Flo undergoes annual audits by an independent certification body.

What they examine:

  • Continued compliance with ISO standards
  • Implementation of any areas of improvement from previous audits
  • Any changes to our security or privacy practices, and their effectiveness
  • Any newly identified risks and the actions we take to address them

Frequently Asked Questions

What certifications does Flo have?

Flo holds dual ISO certifications for ISO 27001 (Information Security Management) and ISO 27701 (Privacy Information Management). Flo is the first and only period-tracking app to hold both certifications. These certifications are awarded by independent expert auditors and are considered the gold standard in security and privacy management.

What is ISO 27001?

ISO 27001 is the international standard for information security management. It provides a framework for managing sensitive information and ensuring its security. Organizations that achieve ISO 27001 certification have proven to independent auditors that they have implemented comprehensive security controls. Think of it as a comprehensive health check for a company's entire security practices – covering everything from employee training to encryption to incident response.

What is ISO 27701?

ISO 27701 is the global standard for privacy information management and provides a framework for demonstrating compliance with privacy regulations such as the GDPR.

ISO 27701 ensures privacy when data is collected, used, shared, and stored. It's specifically designed to help organizations prove that their privacy practices meet global regulatory requirements.

What was audited in the Guidepost report following the FTC settlement?

Following Flo's 2021 FTC settlement, Guidepost Solutions conducted an independent assessment of Flo's privacy practices, including:

  • Data collection practices - What data Flo collects and how it's collected
  • Data sharing - Whether and how data is shared with third parties
  • Privacy policy accuracy - Whether our privacy policy accurately describes our practices
  • User consent - How we obtain and manage user consent
  • Privacy controls - Technical and organizational measures to protect privacy
  • Compliance with settlement terms - Verification that Flo meets FTC requirements

 “Data privacy and security are heavily emphasized at Flo as being at the core of their operations.” – Guidepost Solutions audit report

 “Flo was able to demonstrate a commitment to the privacy and security of its users’ data. [It] has devoted appropriate resources and personnel to ensuring it maintains these commitments.” – Guidepost Solutions audit report

How often are certifications renewed?

ISO 27001 and ISO 27701:

  • Initial certification: Valid for 3 years
  • Annual surveillance audits: Required every year to maintain certification
  • Recertification: Full re-audit every 3 years

Flo's certification timeline:

  • ISO 27001: Achieved Julyt 2022, recertified 2025
  • ISO 27701: Achieved January 2024, recertified in 2025

Why should I trust these certifications?

ISO certifications are issued by accredited, independent certification bodies, not by Flo. These auditors:

  • Work for the certification body, not for Flo
  • Follow standardized audit procedures
  • Are trained and qualified by ISO
  • Have no financial incentive to pass companies that don't meet requirements
  • Can suspend or revoke certifications for non-compliance

This independence ensures certifications are meaningful, not just marketing claims.

See How We Protect Your Data

Learn about our privacy practices:
Your Data & Privacy 

Explore our privacy journey:
See how we evolved from good to industry standard.
Our Privacy Journey 

Meet our privacy team:
The experts who earned these certifications.
Meet the Team 

Keeping your data safe:

Learn more about how we protect your personal data.

Data security at Flo

Have Questions?

Visit our FAQ for more answers about privacy and security.
Privacy FAQ