Security & Trust • EU-hosted • GDPR-compliant

Security at Flowen

How we protect your data, your business, and your trust

1. Our Security Philosophy

Flowen is built on EU infrastructure with security as a first-class concern, not an afterthought. We operate under the principle that customer data should never leave the European Union, that strong cryptography is the default, and that transparency builds trust.

This page describes the technical and operational measures we have in place. We also list areas where we are actively investing to improve, because honest disclosure is part of how we think about security.

2. Hosting & Infrastructure

Primary: OVHcloud

France. ISO 27001 certified data centers. Production servers and application workloads.

Standby: Hetzner

Germany. Hot-standby with PostgreSQL streaming replication for failover.

  • DDoS protection: OVH's anti-DDoS infrastructure with capacity to mitigate attacks up to 1.3 Tbps, always-on, included at no extra cost
  • Geographic redundancy: Continuous database replication between France and Germany
  • EU data sovereignty: All production data remains within the EU/EEA at all times
  • No US-based providers processing production data — no CLOUD Act exposure
  • Network isolation: Geo-blocking on administrative endpoints, restricted access to internal services

3. Encryption

Files at rest

Customer-uploaded files are encrypted with AES-256-GCM, an authenticated encryption mode that protects both confidentiality and integrity. Each file is encrypted with a unique initialization vector.

Data in transit

All traffic to and from Flowen is encrypted using TLS 1.2 or higherwith modern cipher suites. Certificates are managed automatically with renewal handled well before expiry.

Password hashing

User passwords are never stored in plaintext. We use bcrypt with cost factor 12, which meets current OWASP recommendations for password hashing. Even with database access, passwords cannot be recovered.

Database

PostgreSQL is the production database. Connections between the application and database are restricted to internal network paths.

4. Authentication & Access Control

  • Email verification is required before account access is granted
  • JWT-based authentication with separate access and refresh tokens
  • Role-based access control at the team and resource level
  • Password reset via signed, time-limited tokens delivered by email
  • OAuth integrations (Microsoft Graph, LinkedIn, Facebook) where applicable, delegating authentication to the provider
  • Soft-delete on critical records to allow recovery from accidental data loss

On the roadmap

Multi-factor authentication (TOTP) for user accounts is in active development and expected to ship in Q3 2026. Rate limiting on authentication endpoints is being added at the same time.

5. Infrastructure Hardening

  • SSH key-only authentication on all servers — password authentication is disabled
  • fail2ban active for automatic blocking of brute-force attempts
  • Geo-blocking on administrative endpoints
  • Self-hosted secret management via Vaultwarden (open-source, EU-hosted) — no third-party password managers in our internal workflow
  • Regular system updates applied to production servers
  • Zero-downtime deploys via PM2 reload — security patches can be applied without service interruption
  • Limited deployment surface — only the application owner has production server access

6. Backup & Disaster Recovery

  • Continuous replication from OVH (France) to Hetzner (Germany) via rsync and PostgreSQL streaming replication
  • Daily off-site backup to Storegate (Swedish backup provider) via rclone
  • Retention policy: 30-day backup history with point-in-time recovery options
  • Soft-delete retention of 90 days on user-facing data, allowing recovery from accidental deletion
  • Geographically distributed — backups exist in multiple EU countries

7. Monitoring & Error Tracking

Flowen runs an internal error logging system that captures application errors with context (module, action, user) for review and remediation. We do not use third-party error tracking services that would transmit potentially sensitive data outside the EU.

Analytics are self-hosted using Umami at analytics.flowen.eu, which is GDPR-compliant by design and does not use cookies or tracking pixels.

8. Compliance & Standards

GDPR (EU 2016/679)

Full compliance with the EU General Data Protection Regulation

EU AI Act (EU 2024/1689)

Aligned with transparency obligations under Article 50. See our AI Act page.

Swedish Bokföringslagen

Accounting records retained for the legally required 7 years

EU data sovereignty

All processing and storage within EU/EEA

EU NIS2 Directive

Monitored as Flowen scales — applicability threshold not yet met

EU Cyber Resilience Act (CRA)

CRA applies to products with digital elements; SaaS is regulated under NIS2 instead

9. Incident Response & Disclosure

If a security incident occurs that affects customer data or service availability, we follow a structured process:

  1. Containment — immediate action to limit impact
  2. Investigation — root cause analysis with technical detail
  3. Communication — affected customers notified within 24 hours
  4. Regulatory notification — Swedish Data Protection Authority (IMY) informed within 72 hours when GDPR-relevant
  5. Post-mortem — published incident report describing what happened, what we did, and what we changed
  6. Hardening — security improvements deployed and documented

No security incidents affecting customer data have occurred in Flowen's production operation.

10. Vulnerability Disclosure

We welcome reports from the security research community. If you believe you have found a security vulnerability in Flowen, please contact us responsibly.

Email: security@flowen.eu

security.txt: /.well-known/security.txt (RFC 9116)

Response time: we aim to acknowledge reports within 48 hours

Coordinated disclosure: please give us reasonable time to investigate and fix before public disclosure

11. Security Roadmap

We believe transparency about planned improvements is more honest than implying our current state is complete. The following are in active development:

Multi-factor authentication (TOTP)

Q3 2026

User-facing MFA with authenticator app support. Optional for users, enforceable per team by administrators.

Authentication rate limiting

Q3 2026

Per-IP and per-account throttling on login endpoints to defend against brute-force attempts.

Security audit logging

Q4 2026

Comprehensive logging of authentication events, permission changes, and sensitive data access for customer audit needs.

External penetration testing

Planned

Third-party security assessment to be commissioned as Flowen scales.

12. Contact

Security issues

security@flowen.eu

Privacy questions

privacy@flowen.eu

Data Protection Officer

dpo@flowen.eu

Provider

Industrinät AB
556886-5835
Gothenburg, Sweden

See also our Privacy Policy, Terms of Service, AI Act compliance statement and the Legal overview.