As a player in the healthcare industry, Flow Technologies is committed to taking information security very seriously. Safety is continuous work and implementation is everything. We have introduced a number of technical and organizational measures to ensure that we process personal data and health data in a secure and reliable manner. This page will hopefully provide reassurance and answers to how we handle security and privacy, but if you still have questions, send an email to privacy@flowzone.eu .

Before we go in depth: 

  • Flow Technologies is subject to and follows the GDPR and Norm for information security and privacy in the health and care sector (the Norm).
  • Flow Technologies has introduced a management system based on the international standard for information security ISO27001

From this it follows, among other things, that:

  • Flow Technologies has control over which data we store and where it is stored.
  • Flow Technologies carries out risk assessments of all third-party suppliers and also has data processing agreements with all third-party suppliers to ensure that they also process the data in accordance with the laws and regulations of the countries in which we operate.
  • Flow Technologies has introduced a number of technical and organizational precautions to ensure privacy and information security. 
  • We continuously monitor what is happening in the world, such as assessments around Schrems II, the Trans-Atlantic Data Privacy Framework and other major or minor threats that may challenge privacy. 

Storage of data

All information that Flow Technologies processes on behalf of our customers is stored on servers in Europe. Health information is stored logically and physically separately per customer, and our customers can choose the location for this data themselves. Unless otherwise agreed, this will be Frankfurt. We use Google Ireland Limited (Google) as a supplier. Google adheres to all important security standards, including ISO 27001, ISO 27017 and ISO 27018. As with all subcontractors, we have carried out a risk assessment of Google.

Encryption

Data in transit
All data transmitted is encrypted via HTTPS/Transport Layer Security (TLS) in transit.

Stored data
Stored data is encrypted with at least AES-256 or higher encryption levels. Flow Technologies shall not make copies of personal information and health information unless it is necessary to provide the service or for backup purposes.

Security measures

Flow Technologies has introduced a number of technical and organizational security measures. Safety first is a built-in principle throughout the organization and is always included in the assessment in all processes. We not only work to ensure that employees in the organization are trained in privacy and security, but also try to make sure that our customers and users can easily access the information they need to do their job, but also not more. Below are a number of technical and organizational security measures we have introduced. The list is not exhaustive.

Organizational measures:

  • Monthly safety meetings
    Monthly safety meetings with training for all employees
  • Limited access
    Limited access to only the services you need to perform the job to be performed. 
  • Protocol of treatment activities
    At all times control over which data is stored where.
  • Risk assessments
    Risk assessments of all third party providers. 
  • Minimizes the number of third party suppliers
    By minimizing the number of third-party providers, we also minimize the number of attack vectors. 
  • Notifications in case of breach of privacy or information security
    Incorporated procedures for what to do in the event of a suspected breach of privacy and information security where, among other things, we immediately inform everyone who may be affected by the incident
  • Multi-factor authentication
    Requires at least two-factor authentication for access to all services that process personal information.
  • Password management systems
    Uses password management systems with individual passwords on each service. 

Technical measures:

  • Encryption
    All data is encrypted when stored and when in transit. 
  • Updated software
    Regular software updates to prevent possible security holes
  • Security Breach Notification
    We monitor our services for unauthorized attempts to access data with log-based detection mechanisms. Any breach of privacy and/or security is notified to those affected. 
  • Logging
    Flow Technologies logs all access, change and deletion of information and who performs this
  • Pseudonumerization
    We pseudonymise data where we can so that even if the data is obtained, it should still not be possible to link the data to a specific identity. 
  • Backup
    Backup of critical data at least once a day, where the backup is stored in a different physical location than the main data. This makes it possible to quickly get the system up and running from other geographical locations if necessary. All backup data is encrypted. 
  • Authentication
    We authenticate our users with recognized technologies and methods.
  • Ensures data integrity
    Customers and users themselves have the opportunity to update their personal data to ensure data integrity.
  • Gradual rollout
    It is difficult to guard 100% against all errors. Human error can happen. Therefore, we are rolling out gradually so that if there are any errors, we will find them out early.

Third Party Providers

To minimize risk, Flow Technologies uses the fewest possible number of suppliers and keeps access to the processing of personal and health information to a minimum. We risk assess all subcontractors and also have data processing agreements with all of them. 

Business name Address Service Processing Legal basis
Google Ireland Limited Gordon House Barrow Street Dublin 4, Ireland Hosting services and core systems End User Personal Data as defined in the DPA DPA
Signicat AS Gryta 2 B, 7010 Trondheim, Norway Identification Personal name, Personal contact information, National identity number DPA
The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA Transactional emails End user email address, Personal name DPA/SCC
ONLINECITY.IO ApS Buchwaldsgade 50, 5000 Odense C, Denmark SMS Phone number and content of SMS DPA
If the data controller has activated video meetings:
Whereby AS Street 1 107, 6700 Måløy, Norway Video meetings Display name DPA
If data controller has activated integration with Extensor EPR:
Extensor Storgata 60, 8006 Bodø, Norway EPR Personal assessment data DPA