As a player in the healthcare industry, Flow Technologies is committed to taking information security very seriously. Safety is continuous work and implementation is everything. We have introduced a number of technical and organizational measures to ensure that we process personal data and health data in a secure and reliable manner. This page will hopefully provide reassurance and answers to how we handle security and privacy, but if you still have questions, send an email to email@example.com .
Before we go in depth:
- Flow Technologies is subject to and follows the GDPR and Norm for information security and privacy in the health and care sector (the Norm).
- Flow Technologies has introduced a management system based on the international standard for information security ISO27001
From this it follows, among other things, that:
- Flow Technologies has control over which data we store and where it is stored.
- Flow Technologies carries out risk assessments of all third-party suppliers and also has data processing agreements with all third-party suppliers to ensure that they also process the data in accordance with the laws and regulations of the countries in which we operate.
- Flow Technologies has introduced a number of technical and organizational precautions to ensure privacy and information security.
- We continuously monitor what is happening in the world, such as assessments around Schrems II, the Trans-Atlantic Data Privacy Framework and other major or minor threats that may challenge privacy.
Storage of data
All information that Flow Technologies processes on behalf of our customers is stored on servers in Europe. Health information is stored logically and physically separately per customer, and our customers can choose the location for this data themselves. Unless otherwise agreed, this will be Frankfurt. We use Google Ireland Limited (Google) as a supplier. Google adheres to all important security standards, including ISO 27001, ISO 27017 and ISO 27018. As with all subcontractors, we have carried out a risk assessment of Google.
Data in transit
All data transmitted is encrypted via HTTPS/Transport Layer Security (TLS) in transit.
Stored data is encrypted with at least AES-256 or higher encryption levels. Flow Technologies shall not make copies of personal information and health information unless it is necessary to provide the service or for backup purposes.
Flow Technologies has introduced a number of technical and organizational security measures. Safety first is a built-in principle throughout the organization and is always included in the assessment in all processes. We not only work to ensure that employees in the organization are trained in privacy and security, but also try to make sure that our customers and users can easily access the information they need to do their job, but also not more. Below are a number of technical and organizational security measures we have introduced. The list is not exhaustive.
- Monthly safety meetings
Monthly safety meetings with training for all employees
- Limited access
Limited access to only the services you need to perform the job to be performed.
- Protocol of treatment activities
At all times control over which data is stored where.
- Risk assessments
Risk assessments of all third party providers.
- Minimizes the number of third party suppliers
By minimizing the number of third-party providers, we also minimize the number of attack vectors.
- Notifications in case of breach of privacy or information security
Incorporated procedures for what to do in the event of a suspected breach of privacy and information security where, among other things, we immediately inform everyone who may be affected by the incident
- Password management systems
Uses password management systems with individual passwords on each service.
All data is encrypted when stored and when in transit.
- Updated software
Regular software updates to prevent possible security holes
- Notification in the event of a security breach
We monitor our services for unauthorized attempts to access data with log-based detection mechanisms. All breaches of privacy and/or security are notified to those affected.
Flow Technologies logs all access, change and deletion of information and who performs this
We pseudonymise data where we can so that even if the data is obtained, it should still not be possible to link the data to a specific identity.
Backup of critical data at least once a day, where the backup is stored in a different physical location than the main data. This makes it possible to quickly get the system up and running from other geographical locations if necessary. All backup data is encrypted.
We authenticate our users with recognized technologies and methods.
- Ensures data integrity
Customers and users themselves have the opportunity to update their personal data to ensure data integrity.
- Gradual rollout
It is difficult to guard 100% against all errors. Human error can happen. Therefore, we are rolling out gradually so that if there are any errors, we will find them out early.
Third Party Providers
To minimize risk, Flow Technologies uses the fewest possible number of suppliers and keeps access to the processing of personal and health information to a minimum. We risk assess all subcontractors and also have data processing agreements with all of them.