We treat your data the way we want our own treated.
Data storage in Zurich on every plan, processing in Switzerland and the EU. Developed to GDPR and revFADP standards. DPA-PDF downloaded in two clicks. Transparent list of all sub-processors. What costs an enterprise surcharge elsewhere is a given with us.
The four pillars
Security is not a feature. It's architecture.
Data in Switzerland
- Supabase region eu-central-2 in Zurich
- Backups remain in the EU
- No data transfer to the USA for your content
- Data residency lockable per workspace (Business)
Encryption
- TLS 1.3 for every connection
- AES-256 for data at rest
- Encrypted backups
- Session tokens rotated + HTTPS-only cookies
Identity management
- Bcrypt-hashed passwords (12 rounds)
- Multi-factor authentication via TOTP
- Single Sign-On via SAML 2.0 (Business)
- Granular roles Owner, Admin, Member, Guest
Auditability
- Complete activity log per workspace
- 30 days retention on Team, unlimited on Business
- Export as CSV or JSON
- Login attempts and API calls logged
Compliance matrix
Standards we meet — without asterisks.
Full transparency about current status. What isn't certified, we say too.
| Standard | Region | Status | Details |
|---|---|---|---|
| DSGVO | EU | Aligned | Developed to GDPR requirements: DPA under art. 28 available, data export under art. 20, deletion concept under art. 17. No external certification — status transparent. |
| revDSG | Switzerland | Aligned | Developed to the requirements of the revised Swiss Data Protection Act (in force since 1 September 2023): data storage in Switzerland, access and deletion rights implemented. |
| GDPR (UK) | United Kingdom | Aligned | UK GDPR is GDPR-equivalent; the GDPR measures apply accordingly. International Data Transfer Agreement (IDTA) on request. |
| ISO 27001 | International | In preparation | Audit preparation is underway. Planned for Q4/2026. Subprocessor Supabase is already ISO 27001 certified. |
| SOC 2 Type II | USA | In preparation | Preparatory audits Q2/2026. Planned certification Q1/2027. |
| C5 Testat | Germany | Roadmap | Cloud Computing Compliance Criteria Catalogue. Roadmap 2027 for public-sector customers. |
Sub-processors
Who processes which data — listed in full.
We hide nothing in footnotes — here is every provider whose servers touch our data, with purpose and location.
Frontend ≠ data storage — briefly explained
An IP lookup of flenio.ch shows our frontend — i.e. the website delivery via Vercel (compute in Frankfurt, EU). Vercel's edge network is registered with AWS, so an AWS/Amazon identifier appears there. That is not where your data is located.
Your data — database and file storage — is located at Supabase in the eu-central-2 (Zurich) region. Verifiable via the database host db.<project>.supabase.co. Data residency refers to this storage, not to the website delivery.
Supabase
PostgreSQL database, Auth, Storage, Realtime
eu-central-2 (Zurich, Switzerland)
Vercel
Frontend hosting, edge network
Frankfurt, Germany (fra1)
Stripe
Payment processing (only if paid plan)
Ireland (EU)
Resend
Transactional e-mails incl. auth e-mails (registration, invitations, notifications)
EU eu-west-1 (Ireland)
Anthropic
AI features (FlenioAI) — only on active use, deactivatable per workspace, no training with customer data
USA (DPA incl. Standard Contractual Clauses)
The complete current list with contact details and last audit can be found in the Trust Center.
Vulnerability disclosure
Found a security vulnerability? Let us know.
We believe in responsible disclosure. Security researchers who report vulnerabilities responsibly are listed with their consent in the Hall of Fame and we thank them with a CHF 100 bug bounty (or one year of Team free).
Security contact
Email us at security@flenio.ch. PGP key on request. Response within 24h business days.
What doesn't count
Theoretical vulnerabilities without proof of concept, volumetric DDoS, self-XSS via browser extensions, as well as anything that falls under social engineering.
Questions about the architecture or the DPA?
If your compliance department needs detailed answers, write to us. For banking, trustee or public-authority audits, we're happy to prepare a technical briefing.