FlenioFlenio
Security + compliance

We treat your data the way we want our own treated.

Data storage in Zurich on every plan, processing in Switzerland and the EU. Developed to GDPR and revFADP standards. DPA-PDF downloaded in two clicks. Transparent list of all sub-processors. What costs an enterprise surcharge elsewhere is a given with us.

The four pillars

Security is not a feature. It's architecture.

Data in Switzerland

  • Supabase region eu-central-2 in Zurich
  • Backups remain in the EU
  • No data transfer to the USA for your content
  • Data residency lockable per workspace (Business)

Encryption

  • TLS 1.3 for every connection
  • AES-256 for data at rest
  • Encrypted backups
  • Session tokens rotated + HTTPS-only cookies

Identity management

  • Bcrypt-hashed passwords (12 rounds)
  • Multi-factor authentication via TOTP
  • Single Sign-On via SAML 2.0 (Business)
  • Granular roles Owner, Admin, Member, Guest

Auditability

  • Complete activity log per workspace
  • 30 days retention on Team, unlimited on Business
  • Export as CSV or JSON
  • Login attempts and API calls logged

Compliance matrix

Standards we meet — without asterisks.

Full transparency about current status. What isn't certified, we say too.

StandardRegionStatusDetails
DSGVOEUAlignedDeveloped to GDPR requirements: DPA under art. 28 available, data export under art. 20, deletion concept under art. 17. No external certification — status transparent.
revDSGSwitzerlandAlignedDeveloped to the requirements of the revised Swiss Data Protection Act (in force since 1 September 2023): data storage in Switzerland, access and deletion rights implemented.
GDPR (UK)United KingdomAlignedUK GDPR is GDPR-equivalent; the GDPR measures apply accordingly. International Data Transfer Agreement (IDTA) on request.
ISO 27001InternationalIn preparationAudit preparation is underway. Planned for Q4/2026. Subprocessor Supabase is already ISO 27001 certified.
SOC 2 Type IIUSAIn preparationPreparatory audits Q2/2026. Planned certification Q1/2027.
C5 TestatGermanyRoadmapCloud Computing Compliance Criteria Catalogue. Roadmap 2027 for public-sector customers.

Sub-processors

Who processes which data — listed in full.

We hide nothing in footnotes — here is every provider whose servers touch our data, with purpose and location.

Frontend ≠ data storage — briefly explained

An IP lookup of flenio.ch shows our frontend — i.e. the website delivery via Vercel (compute in Frankfurt, EU). Vercel's edge network is registered with AWS, so an AWS/Amazon identifier appears there. That is not where your data is located.

Your data — database and file storage — is located at Supabase in the eu-central-2 (Zurich) region. Verifiable via the database host db.<project>.supabase.co. Data residency refers to this storage, not to the website delivery.

Supabase

PostgreSQL database, Auth, Storage, Realtime

eu-central-2 (Zurich, Switzerland)

SOC 2HIPAAISO 27001

Vercel

Frontend hosting, edge network

Frankfurt, Germany (fra1)

SOC 2PCI DSS

Stripe

Payment processing (only if paid plan)

Ireland (EU)

PCI DSS Level 1SOC 1+2

Resend

Transactional e-mails incl. auth e-mails (registration, invitations, notifications)

EU eu-west-1 (Ireland)

SOC 2

Anthropic

AI features (FlenioAI) — only on active use, deactivatable per workspace, no training with customer data

USA (DPA incl. Standard Contractual Clauses)

SOC 2

The complete current list with contact details and last audit can be found in the Trust Center.

Vulnerability disclosure

Found a security vulnerability? Let us know.

We believe in responsible disclosure. Security researchers who report vulnerabilities responsibly are listed with their consent in the Hall of Fame and we thank them with a CHF 100 bug bounty (or one year of Team free).

Security contact

Email us at security@flenio.ch. PGP key on request. Response within 24h business days.

What doesn't count

Theoretical vulnerabilities without proof of concept, volumetric DDoS, self-XSS via browser extensions, as well as anything that falls under social engineering.

Questions about the architecture or the DPA?

If your compliance department needs detailed answers, write to us. For banking, trustee or public-authority audits, we're happy to prepare a technical briefing.