ISO/IEC 27001:2022
Certified. Renewal in progress (2026 surveillance/recertification audit). Full certificate details available under NDA.
Trust Hub
Flowie Trust Hub
GDPR-compliant. ISO 27001:2022 certified. EU-hosted. 9 named sub-processors under signed DPAs and SCCs. Customer data processed exclusively in the EU under S3NS sovereign cloud.
Direct answer: Flowie is GDPR-compliant, EU-hosted, and ISO 27001:2022 certified. We have 9 named sub-processors, all covered by Data Processing Agreements and Standard Contractual Clauses. Our DPA template is available in English and French (May 2025 revision). Customer data is processed exclusively within the EU under S3NS sovereign cloud — primary in Paris, disaster-recovery in Belgium. AI providers process descriptive text only; they never see financial amounts or account numbers, and they are contractually bound to zero retraining. This page routes you to the specific commitments you need: security controls, sub-processor details, and breach notification procedures.
Trusted by enterprise finance teams
Independent third-party validation
Certifications
Cybervadis — Mature
Score 878 / 1000 · Industry benchmark 654 (assessed 2024-10-04)
French Plateforme Agréée (PA)
Certified December 2025 · French e-invoicing mandate (XP Z12-014)
Peppol BIS Billing 3.0
Compliant · Pan-European e-invoicing interoperability
SOC 2
Not currently held — see FAQ
—
Additional security evidence — penetration test reports, Detectify continuous scanning results, and the full ISMS Statement of Applicability — is available to qualified prospects under NDA.
GDPR
Your Data, Your Rights
Flowie handles B2B financial and procurement data. That means invoices, payment terms, supplier identities, and approval workflows — data that carries legal and fiduciary weight. We treat it accordingly.
Under GDPR, your organization holds rights over every personal data element Flowie processes on your behalf. Those rights are not theoretical.
GDPR-compliant
Articles 28 (DPA), 33 (72h breach), 34 (customer notification), 15-22 (data subject rights)
DPA · EN + FR
Article 28 GDPR · May 2025 revision · countersigned before go-live
Named DPO
[email protected] · responds within 30 days · residency + subject-rights questions
9 sub-processors
All under signed DPAs · non-EU under SCCs · full table at /trust/subprocessors
72h breach response
GDPR Art. 33 supervisory authority notification · Art. 34 customer notification without undue delay
What we collect
- User identity (name, email, role)
- Transaction metadata (invoice references, amounts, dates)
- Supplier and counterparty details
- Document content uploaded to the platform
- Behavioral and access logs (for security and audit purposes)
Why we collect it
- To execute the orchestration workflows you configure
- To deliver notifications and approvals
- To maintain audit trails required by e-invoicing regulation
- To diagnose performance and security events
Your rights under GDPR
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to data portability (Art. 20)
- Right to object to processing (Art. 21)
- Right to lodge a complaint with your national supervisory authority
To exercise any of these rights, contact [email protected]. We respond within 30 days.
Article 28 GDPR
Data Processing Agreement
Every customer relationship at Flowie is governed by a signed Data Processing Agreement. The DPA defines the scope of processing, the legal basis, sub-processor obligations, data subject rights procedures, and your ability to audit.
The current DPA template was revised in May 2025 and is available in English and French. It aligns with GDPR Article 28 requirements and includes a complete sub-processor annex by reference to the list published at /trust/subprocessors.
If you need a countersigned DPA before procurement approval, we can turn that around quickly — typical turnaround depends on the specific redlines submitted. Request it via the form at the bottom of this page or email [email protected] directly.
⚠️ TO VALIDATE: confirm specific DPA countersignature SLA with Legal before publish (e.g. "within X business days") if a public commitment is desired.
No customer goes live without a signed DPA in place.
9 named vendors
Sub-Processors
Flowie uses 9 named sub-processors. Every one has a signed Data Processing Agreement with us. Non-EU sub-processors are covered by Standard Contractual Clauses. The full table — including purpose, data category, hosting location, retention period, and security certifications for each vendor — is published below and at /trust/subprocessors.
- GCP via S3NS(Infrastructure)France (primary)
- Auth0(Authentication)Belgium
- SendGrid(Email)United States (EU options available)
- Sentry(Monitoring)United States (EU options available)
- Intercom(Support)United States (EU residency available)
- Fivetran(ETL)United States (data in transit only)
- OpenAI(AI)United States
- Mistral AI(AI)France
- Anthropic(AI)United States
S3NS · sovereign cloud
EU and Sovereign Hosting
| Attribute | Detail |
|---|---|
| Primary region | Paris, France |
| Disaster-recovery region | Belgium · cross-border DR within the EU |
| Cloud provider | S3NS (Google Cloud + Thales joint venture) |
| Sovereign posture | ANSSI SecNumCloud-aligned · French law jurisdiction |
| Data residency | 100% EU at infrastructure layer · zero US/UK replication |
All Flowie customer data is processed and stored within the European Union. There are no exceptions.
Our infrastructure partner is S3NS — the sovereign cloud platform built jointly by Google Cloud and Thales. S3NS operates under French law, meets ANSSI SecNumCloud requirements, and provides physical and logical separation from US-jurisdiction cloud infrastructure.
Primary region: Paris, France. Disaster-recovery region: Belgium. Data does not cross EU borders at the infrastructure layer.
Three AI providers
AI Data Handling
This section is more specific than most vendors provide, because the questions we receive are specific.
Flowie integrates three AI providers: OpenAI, Mistral AI, and Anthropic. Each is used for natural language processing tasks — extracting field values from document text, matching line items, categorizing descriptions.
| Provider | Hosting region | Residency posture |
|---|---|---|
| Mistral AI | France · EU | Full inference cycle remains in France |
| OpenAI | United States | Under signed SCCs · descriptive text only · zero retraining |
| Anthropic | United States | Under signed SCCs · descriptive text only · zero retraining |
What AI providers receive
Descriptive text only. Supplier names, line item descriptions, product references, document titles. That is the complete scope.
What AI providers never receive
Financial amounts, IBAN or account numbers, payment terms values, or any data field that could identify a transaction's financial exposure.
This is enforced at the data pipeline layer before any call leaves our infrastructure. It is not a policy preference — it is a technical boundary.
Zero retraining — contractual commitment
All three AI providers are bound by contract to not use Flowie customer data to train or fine-tune their models. This applies to API-submitted data and is not dependent on product settings or opt-outs. The commitment is in writing, in the DPA annexes.
If your security team needs the specific DPA language covering AI processing constraints, request it through the DPA form below.
GDPR Article 33 / 34
GDPR and Breach Response
Flowie maintains a dedicated GDPR Incident Response Plan, separate from the general incident management policy. It governs specifically what happens when personal data is involved in a security event.
72-hour notification commitment
GDPR Art. 33 · 72h compliantIn the event of a personal data breach meeting the threshold under GDPR Article 33, Flowie notifies the relevant supervisory authority within 72 hours of becoming aware of the breach. This is not a target — it is our contractual and regulatory obligation.
Customer notification
Where a breach is likely to result in a high risk to the rights and freedoms of your users, we notify you without undue delay so you can fulfill your own GDPR Article 34 obligations. The notification includes the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.
How notification reaches you
Through the technical contact and DPO contact designated in your signed DPA. If those contacts change, update them with your account manager so notification routing stays current.
The full GDPR Incident Response Plan is available for review under NDA as part of advanced due diligence.
Buyers ask us this
Frequently Asked Questions
Is Flowie ISO 27001 certified?
Yes. Flowie holds ISO/IEC 27001:2022 certification. The ISMS covers Flowie's SaaS platform and supporting infrastructure. The certification was issued by Prescient Security (certificate #122245). Annual surveillance audits maintain the certification; full certificate details are available under NDA or via the DPA request process.
Where is our data stored?
All customer data is stored within the European Union. Primary infrastructure is in Paris, France, on the S3NS sovereign cloud (Google Cloud + Thales). Disaster-recovery infrastructure is in Belgium. No customer data is replicated outside the EU at the infrastructure layer. Mistral AI, one of three AI sub-processors, is also France-hosted, meaning AI inference for that provider stays within French jurisdiction.
Do you have a SOC 2 report?
No. Flowie does not currently hold a SOC 2 Type II report. We hold ISO/IEC 27001:2022 certification, which covers a comparable control scope under an internationally recognized standard. Our Cybervadis score of 878/1000 (Mature rating, benchmark 654) provides independent third-party validation of our security posture. If SOC 2 is a hard requirement in your procurement process, contact us to discuss — we can provide supporting evidence from our ISMS audit package.
Which vendors have access to our data?
Nine named sub-processors, listed in full at /trust/subprocessors. Every sub-processor has a signed DPA with Flowie. Non-EU transfers (SendGrid, Sentry, Intercom, Fivetran, OpenAI, Anthropic) are covered by Standard Contractual Clauses. Auth0 is EU-hosted (Belgium). GCP/S3NS and Mistral AI are France/Belgium-hosted. No sub-processor has access to your full dataset — each receives only the data category required for its specific function.
Do your AI providers retrain on our data?
No. This is a contractual commitment with all three AI providers — OpenAI, Mistral AI, and Anthropic. None of them may use data submitted via Flowie's API integration to train or fine-tune their models. Additionally, what AI providers receive is technically constrained to descriptive text only. Financial amounts, IBANs, and account numbers never leave Flowie's infrastructure on their way to an AI provider.
What about GDPR Data Processing Agreements?
Flowie provides a DPA template in English and French (current revision: May 2025). No customer goes live without a countersigned DPA. The DPA covers processing scope, legal basis, data subject rights, sub-processor obligations, breach notification, and audit rights. Request a countersigned DPA using the form at the bottom of this page.
How do you handle data subject requests?
Data subject requests — access, rectification, erasure, portability, objection — submitted to Flowie by your employees or counterparties are routed to [email protected]. We respond within 30 days. For requests requiring action on data held in your ERP or other systems Flowie integrates with, we coordinate with your technical team to scope the response accurately. The procedure is documented in our GDPR Compliance Policy.
What happens in case of a breach?
Flowie has a dedicated GDPR Incident Response Plan that triggers immediately upon detection of any event involving personal data. If the incident meets the GDPR Article 33 threshold, we notify the relevant supervisory authority within 72 hours. If the breach creates high risk to your users, we notify you without undue delay with full incident details so you can meet your own notification obligations. The specific notification contacts are those designated in your signed DPA.
What penetration testing do you conduct?
Flowie conducts an annual independent penetration test against its production environment. Continuous automated scanning runs via Detectify. Results and remediation records are available to customers under NDA as part of security due diligence packages.
How many ISMS policies does Flowie maintain?
The ISMS comprises 14 BSI policies (covering HR security, physical security, operations security, access control, incident response, business continuity, secure development, third-party management, cryptography, GDPR compliance, information security, asset management, risk management, and data management) plus 13 numbered ISMS documents (00 through 12), including the Statement of Applicability. The full document set is available under NDA for qualified enterprise evaluations.
Get the DPA or Talk to Our DPO
Request a countersigned DPA in English or French.
ISO 27001
GDPR
CyberVadis
PA Certified
Peppol
Specific data residency, sub-processor, or breach response question? [email protected]