1. Flo - ovulation calendar, period tracker, and pregnancy app
  2. Security at Flo

Security

Your personal data security is our top priority at Flo. We do understand that your app profile may contain highly sensitive personal data. Therefore, every day we do our best to implement industry best practices and standards.
Legal compliance
Flo is committed to ensuring the security and protection of personal data following the requirements of the EU General Data Protection Regulation, California Consumer Privacy Act and other regulations.
3rd party audits
We regularly conduct audits with the assistance of well-known third-party agencies to screen and enhance our internal security processes and policies.
Physical and environmental security
Flo complies with the highest industry standards for physical, environmental, and hosting controls. Flo data centers handled by Amazon Web Services get advantage of the brand new architectural and engineering approaches.
Product security
Servers and networking

All our production servers are immutable, continuously patched Docker-based systems. We also utilize additional AWS services such as VPC (Virtual Private Cloud), AWS multi-account infrastructure, EKS (Elastic Kubernetes Service). To secure communication over the network, we use HTTPS protocol encrypted using TLS (Transport Layer Security). 

 

All our production servers are immutable, continuously patched Docker-based systems. We also utilize additional AWS services such as VPC (Virtual Private Cloud), AWS multi-account infrastructure, EKS (Elastic Kubernetes Service). To secure communication over the network, we use HTTPS protocol encrypted using TLS (Transport Layer Security). 

 

Encryption

We utilize AWS KMS (Key Management Service) to create and manage keys and control the use of encryption across a wide range of AWS services and our application.

 

We utilize AWS KMS (Key Management Service) to create and manage keys and control the use of encryption across a wide range of AWS services and our application.

 

Storage

Flo stores all data such as metadata, activity, original files, and customer’s data in different places. All data is encrypted by KMS in each place.

End-user sensitive data is removed from logs and Flo engineers have no access to this data.  

Flo stores all data such as metadata, activity, original files, and customer’s data in different places. All data is encrypted by KMS in each place.

End-user sensitive data is removed from logs and Flo engineers have no access to this data.  

Isolated environments

The Production network is isolated from other Staging, Development, and Infrastructure environments. Every environment is located on the separate AWS account into separate VPC networks.

 

The Production network is isolated from other Staging, Development, and Infrastructure environments. Every environment is located on the separate AWS account into separate VPC networks.

 

Customer payment data

All payments are processed either by the App Store, Google Play or Stripe who take full responsibility for payment security. Flo doesn’t store any credit card information.

 

All payments are processed either by the App Store, Google Play or Stripe who take full responsibility for payment security. Flo doesn’t store any credit card information.

 

Secure by design
Flo engineers leverage best product development techniques that adhere to industry standards such as having a documented development and quality assurance processes. Guided by security principles of confidentiality, integrity, and availability, we design our app in such a way to reduce risks of vulnerability-opening mistake.
Service levels and backups
Flo infrastructure utilizes many layered techniques for increasingly reliable uptime, including the use of auto-scaling, load balancing, task queues, and rolling deployments. We do full daily automated backups of our databases. All backups are encrypted.
System monitoring and alerting
At Flo, the production application and underlying infrastructure components are monitored 24/7/365 days a year, by dedicated monitoring systems. Critical alerts generated by these systems are sent to 24/7/365 on-call service owners and escalated appropriately to operations management.
Vulnerability (penetration) testing
Web application security is evaluated by the development team in sync with the application release cycle. This vulnerability testing includes the use of commonly known web application security toolkits and scanners to identify application vulnerabilities before they are released into production.
Traffic management
Cloudflare security suite allows Flo app to automatically block malicious traffic and ensure app reliability. No matter where our users are located — Flo works smoothly on their smartphones thanks to smart traffic routing, and content in the app is now delivered to the user from the closest Cloudflare server.
Resources
Privacy Policy
How Flo Helps Safeguard Customer Data With Cloudflare
Flo Statement on Data Privacy

If you have any questions or suggestions regarding security and privacy at Flo, send us a note at privacy@flo.health