FlenioFlenio
Trust Center · last updated 07 July 2026

Trust is not a marketing word.It's architecture.

Here you'll find everything compliance, security and legal teams need for their vendor assessment. No NDA, no sales call, no "we'll talk about that later".

Zürich · Frankfurt · EU

Storage CH, compute DE, e-mail EU

Status monitoring

External probes every 60 sec — Vercel Edge in 5 regions

Zürich · Frankfurt · EU

Storage CH, compute DE, e-mail EU

Compliance & certifications

What we deliver – and what's planned.

We hide nothing. If something isn't there yet, we say so – with a date.

Active

GDPR + revFADP

Swiss FADP (revFADP) and EU GDPR compliance out of the box – not as an add-on.

Active

DPA under art. 28 GDPR

Data processing agreement included – even in the Free plan. Download as plain-text PDF.

Active

Data residency Switzerland

All content is stored by default in Zurich (Supabase eu-central-2).

Active

Multi-Factor Authentication

TOTP-based 2FA (Google Authenticator, 1Password, Authy) free for all plans.

Active

SAML 2.0 SSO

Single Sign-On via SAML for Business plans (Microsoft Entra, Okta, Google Workspace).

Active

Audit trail

Complete activity log with workspace filter and CSV export.

Q4/2026

Penetration test (third party)

Pen test planned in Q4/2026 by a certified CH security lab. Result summary public.

Roadmap

ISO 27001 (roadmap)

Certification in preparation. Controls are already being implemented.

Sub-processors · art. 28 GDPR

Who technically processes your data.

Complete, current list of processors with location and respective DPA link.

Sub-processorPurposeLocationDPA
Supabase Inc.Database + AuthZurich (eu-central-2) · CHAGB + DPA
Vercel Inc.Hosting + computeFrankfurt (fra1) · DEAGB + DPA
Stripe Payments Europe Ltd.Payment processingDublin · IEAGB + DPA
Resend Inc.Transactional e-mails incl. auth e-mailsEU eu-west-1 (Ireland)AGB + DPA
Anthropic PBCAI inference — only on active use, deactivatable per workspace; no training with customer dataUSA · DPA incl. SCCsAGB + DPA

Changes to this list are communicated 30 days in advance by e-mail to workspace owners. The right to object under art. 28 para. 2 GDPR remains.

Security practices

What runs under the hood.

Encryption

  • TLS 1.3 in transit between browser and server
  • AES-256 at rest (database + storage)
  • Password hashes via bcrypt + salt
  • Secrets via Vercel Environment Variables, never in code

Access control

  • Row Level Security (RLS) at Postgres level for every table
  • Workspace isolation: no user can read other workspaces' data
  • Service-Role key only in server-side code, never in the browser
  • Optional 2FA via TOTP, optional SAML SSO in the Business plan

Infrastructure

  • Hosting storage: Supabase, Zurich (eu-central-2), CH
  • Hosting compute: Vercel, Frankfurt (fra1), DE
  • Backups: encrypted daily, 30-day retention
  • Disaster recovery RPO ≤ 24h, RTO ≤ 4h

Incident response

  • 24h notification obligation under art. 33 GDPR to workspace admins
  • Security incidents fully recorded in the internal audit trail
  • Public post-mortems for major incidents on the status page
  • Bug Bounty: security@flenio.ch · responsible disclosure, fair treatment guaranteed

Compliance team questions?

We usually respond within 24h. In English too. We're happy to fill out vendor questionnaires (CAIQ, VSA, SIG-Lite).