Trust is not a marketing word.
It's architecture.
Here you'll find everything compliance, security and legal teams need for their vendor assessment. No NDA, no sales call, no "we'll talk about that later".
Zürich · Frankfurt · EU
Storage CH, compute DE, e-mail EU
Status monitoring
External probes every 60 sec — Vercel Edge in 5 regions
Zürich · Frankfurt · EU
Storage CH, compute DE, e-mail EU
Compliance & certifications
What we deliver – and what's planned.
We hide nothing. If something isn't there yet, we say so – with a date.
GDPR + revFADP
Swiss FADP (revFADP) and EU GDPR compliance out of the box – not as an add-on.
DPA under art. 28 GDPR
Data processing agreement included – even in the Free plan. Download as plain-text PDF.
Data residency Switzerland
All content is stored by default in Zurich (Supabase eu-central-2).
Multi-Factor Authentication
TOTP-based 2FA (Google Authenticator, 1Password, Authy) free for all plans.
SAML 2.0 SSO
Single Sign-On via SAML for Business plans (Microsoft Entra, Okta, Google Workspace).
Audit trail
Complete activity log with workspace filter and CSV export.
Penetration test (third party)
Pen test planned in Q4/2026 by a certified CH security lab. Result summary public.
ISO 27001 (roadmap)
Certification in preparation. Controls are already being implemented.
Sub-processors · art. 28 GDPR
Who technically processes your data.
Complete, current list of processors with location and respective DPA link.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase Inc. | Database + Auth | Zurich (eu-central-2) · CH | AGB + DPA |
| Vercel Inc. | Hosting + compute | Frankfurt (fra1) · DE | AGB + DPA |
| Stripe Payments Europe Ltd. | Payment processing | Dublin · IE | AGB + DPA |
| Resend Inc. | Transactional e-mails incl. auth e-mails | EU eu-west-1 (Ireland) | AGB + DPA |
| Anthropic PBC | AI inference — only on active use, deactivatable per workspace; no training with customer data | USA · DPA incl. SCCs | AGB + DPA |
Changes to this list are communicated 30 days in advance by e-mail to workspace owners. The right to object under art. 28 para. 2 GDPR remains.
Security practices
What runs under the hood.
Encryption
- TLS 1.3 in transit between browser and server
- AES-256 at rest (database + storage)
- Password hashes via bcrypt + salt
- Secrets via Vercel Environment Variables, never in code
Access control
- Row Level Security (RLS) at Postgres level for every table
- Workspace isolation: no user can read other workspaces' data
- Service-Role key only in server-side code, never in the browser
- Optional 2FA via TOTP, optional SAML SSO in the Business plan
Infrastructure
- Hosting storage: Supabase, Zurich (eu-central-2), CH
- Hosting compute: Vercel, Frankfurt (fra1), DE
- Backups: encrypted daily, 30-day retention
- Disaster recovery RPO ≤ 24h, RTO ≤ 4h
Incident response
- 24h notification obligation under art. 33 GDPR to workspace admins
- Security incidents fully recorded in the internal audit trail
- Public post-mortems for major incidents on the status page
- Bug Bounty: security@flenio.ch · responsible disclosure, fair treatment guaranteed
Compliance team questions?
We usually respond within 24h. In English too. We're happy to fill out vendor questionnaires (CAIQ, VSA, SIG-Lite).