Security

As a player in the healthcare industry, Flow Technologies is committed to taking information security very seriously. Safety is continuous work and implementation is everything. We have introduced a number of technical and organizational measures to ensure that we process personal data and health data in a secure and reliable manner. This page will hopefully provide reassurance and answers to how we handle security and privacy, but if you still have questions, send an email to privacy@flowzone.eu .

Before we go in depth: 

• Flow Technologies is subject to and follows the GDPR and Norm for information security and privacy in the health and care sector (the Norm).
• Flow Technologies has introduced a management system based on the international standard for information security ISO27001

From this it follows, among other things, that:

• Flow Technologies has control over which data we store and where it is stored.
• Flow Technologies carries out risk assessments of all third-party suppliers and also has data processing agreements with all third-party suppliers to ensure that they also process the data in accordance with the laws and regulations of the countries in which we operate.
• Flow Technologies has introduced a number of technical and organizational precautions to ensure privacy and information security. 
• We continuously monitor what is happening in the world, such as assessments around Schrems II, the Trans-Atlantic Data Privacy Framework and other major or minor threats that may challenge privacy. 

Storage of data

All information that Flow Technologies processes on behalf of our customers is stored on servers in Europe. Health information is stored logically and physically separately per customer, and our customers can choose the location for this data themselves. Unless otherwise agreed, this will be Frankfurt. We use Google Ireland Limited (Google) as a supplier. Google adheres to all important security standards, including ISO 27001, ISO 27017 and ISO 27018. As with all subcontractors, we have carried out a risk assessment of Google.

Encryption

Data in transit
All data transmitted is encrypted via HTTPS/Transport Layer Security (TLS) in transit.

Stored data
Stored data is encrypted with at least AES-256 or higher encryption levels. Flow Technologies shall not make copies of personal information and health information unless it is necessary to provide the service or for backup purposes.

Security measures

Flow Technologies has introduced a number of technical and organizational security measures. Safety first is a built-in principle throughout the organization and is always included in the assessment in all processes. We not only work to ensure that employees in the organization are trained in privacy and security, but also try to make sure that our customers and users can easily access the information they need to do their job, but also not more. Below are a number of technical and organizational security measures we have introduced. The list is not exhaustive.

Organizational measures:

• Monthly safety meetings
  Monthly safety meetings with training for all employees
• Limited access
  Limited access to only the services you need to perform the job to be performed. 
• Protocol of treatment activities
  At all times control over which data is stored where.
• Risk assessments
  Risk assessments of all third party providers. 
• Minimizes the number of third party suppliers
  By minimizing the number of third-party providers, we also minimize the number of attack vectors. 
• Notifications in case of breach of privacy or information security
  Incorporated procedures for what to do in the event of a suspected breach of privacy and information security where, among other things, we immediately inform everyone who may be affected by the incident
• Multi-factor authentication
  Requires at least two-factor authentication for access to all services that process personal information.
• Password management systems
  Uses password management systems with individual passwords on each service. 

Technical measures:

• Encryption
  All data is encrypted when stored and when in transit. 
• Updated software
  Regular software updates to prevent possible security holes
• Security Breach Notification
  We monitor our services for unauthorized attempts to access data with log-based detection mechanisms. Any breach of privacy and/or security is notified to those affected. 
• Logging
  Flow Technologies logs all access, change and deletion of information and who performs this
• Pseudonumerization
  We pseudonymise data where we can so that even if the data is obtained, it should still not be possible to link the data to a specific identity. 
• Backup
  Backup of critical data at least once a day, where the backup is stored in a different physical location than the main data. This makes it possible to quickly get the system up and running from other geographical locations if necessary. All backup data is encrypted. 
• Authentication
  We authenticate our users with recognized technologies and methods.
• Ensures data integrity
  Customers and users themselves have the opportunity to update their personal data to ensure data integrity.
• Gradual rollout
  It is difficult to guard 100% against all errors. Human error can happen. Therefore, we are rolling out gradually so that if there are any errors, we will find them out early.
  ‍

Third Party Providers

To minimize risk, Flow Technologies uses the fewest possible number of suppliers and keeps access to the processing of personal and health information to a minimum. We risk assess all subcontractors and also have data processing agreements with all of them.