ISO 27001:2022 — Renewal in progress
Surveillance and recertification audit underway. Current certificate number available under NDA. ISMS scope and SoA unchanged.
Trust Center · Security
Flowie Security.
Verifiable security posture for finance and procurement teams. ISO 27001:2022 certified, Cybervadis Mature 878/1000, S3NS sovereign cloud in Paris with disaster-recovery in Belgium. No customer data leaves the EU. Full audit reports under NDA.
Direct answer: Flowie is ISO 27001:2022 certified (certificate #122245, issued by Prescient Security LLC). Cybervadis rates us Mature at 878/1000 — 34% above the 654 industry benchmark, assessed October 4, 2024. We run on S3NS sovereign cloud (a Google + Thales partnership), primary datacenter in Paris, disaster-recovery in Belgium. No customer data leaves the EU. MFA is enforced on all production access. Cryptography follows NIST alignment: AES-256 at rest, TLS 1.2 or higher in transit, RSA 2048-bit minimum and ECC 256-bit minimum for key exchange. We conduct annual independent penetration tests plus continuous Detectify scanning. Our 9 named sub-processors are covered by signed Data Processing Agreements and Standard Contractual Clauses for any non-EU transfers. AI providers process only descriptive text — never financial amounts, IBANs, or account numbers — and are contractually bound to zero retraining with client data. Full audit reports available under NDA upon request.
Section 01 · At a glance
Security at a glance.
Flowie processes procurement workflows, invoice data, and payment approvals for mid-market and enterprise finance teams. That mandates a security posture a CISO can verify — not trust — before signing. Below is a five-point summary of our current security posture, followed by the full technical record.
Cybervadis Mature — 878/1000
Independently assessed October 4, 2024 · Industry benchmark 654 · 34% above benchmark across 10 security domains
S3NS Sovereign Cloud
Google + Thales partnership · Primary region Paris · DR in Belgium · All customer data in the EU — no exceptions
MFA Enforced on All Production Access
No production access without MFA · RBAC + least-privilege model · Joiner-Mover-Leaver process tied to contract end
Annual Independent Penetration Test + Continuous Scanning
Annual third-party pentest · Detectify continuous vulnerability scanning in production · Coordinated disclosure at security@flowie.fr
Section 02 · Certifications
Certifications and assessments.
ISO/IEC 27001:2022
Flowie holds ISO/IEC 27001:2022 certification. Certificate details and validity dates are reissued upon completion of the 2026 surveillance and recertification audit. Renewal is in progress — the current certificate number is available under NDA upon request. Our ISMS scope, Statement of Applicability, and Stage 1 and Stage 2 audit reports remain on file and unchanged.
ISO 27001:2022 is the current revision of the standard (superseding ISO 27001:2013). The 2022 revision restructured controls into four categories — Organisational, People, Physical, and Technological — and added 11 new controls covering threat intelligence, information security for cloud services, data masking, data leakage prevention, monitoring activities, web filtering, secure coding, and configuration management. Flowie's ISMS was certified directly against the 2022 standard, not migrated from the 2013 version.
The ISMS is not a checklist. It is an operational system: policies are reviewed on schedule, risks are reassessed when the threat landscape changes, nonconformities from audits feed into a documented corrective action procedure, and management review meetings are minuted. If you want to understand whether a vendor's security is structural or performative, ask to see the audit finding sheets — ours are available under NDA.
Cybervadis — Mature rating, 878/1000
Cybervadis is an independent security ratings platform that evaluates vendors across 10 domains: Security Policies, Asset Management, IT Infrastructure Security, Application Security, Access Control, People Security, Physical Security, Operational Security, Business Continuity Management, and Compliance. Ratings run from 0 to 1000.
Flowie's most recent Cybervadis assessment, completed October 4, 2024, returned a score of 878/1000, carrying the Mature rating tier. The industry benchmark for comparable organisations is 654. Our score is 34% above that benchmark.
Cybervadis Mature · 878/1000 · Assessed 2024-10-04 · Industry benchmark 654
The full Cybervadis executive report is available upon request as part of our security pack. It includes the breakdown by domain and the specific evidence Cybervadis reviewed.
Honest note on SOC 2
We do not currently hold SOC 2 Type II. We are scoping a SOC 2 Type II programme for completion in Q3 2026. If your procurement process requires SOC 2 as a hard requirement today, the honest answer is: we cannot satisfy it from a certificate, but we can satisfy the underlying intent.
What we offer in the interim: our ISO 27001:2022 certification with full audit reports under NDA, our Cybervadis 878/1000 score with the detailed domain breakdown, and direct access to our security team for a structured Q&A. The ISO 27001 certification maps substantially to the SOC 2 Trust Services Criteria — particularly in the areas of security, availability, and confidentiality. Procurement teams that have reviewed both typically confirm that the combination of ISO 27001 + Cybervadis + audit report access is sufficient for vendor approval while SOC 2 is in flight. We will provide a written update when the SOC 2 programme reaches completion.
Section 03 · Infrastructure
Infrastructure and hosting.
S3NS sovereign cloud
Flowie runs on S3NS, the sovereign cloud platform built through the partnership between Google Cloud and Thales. S3NS is designed to meet French and European data residency and sovereignty requirements, with French-controlled data encryption keys and operational controls aligned to ANSSI (Agence nationale de la sécurité des systèmes d'information) requirements.
The practical consequence for Flowie customers: your data is hosted in infrastructure that combines Google's engineering with Thales's French sovereign controls, operated in France, subject to French and EU law. This is a structural choice, not a contractual one — the architecture physically prevents data from being routed outside the EU during normal operations.
Data residency
| Attribute | Value |
|---|---|
| Primary region | Paris, France |
| Disaster-recovery region | Belgium |
| Data residency | European Union — all customer data |
| Backup storage | Geographically redundant: France + Belgium, separately stored |
| Sub-processor infrastructure | 9 named sub-processors — see /trust/subprocessors |
No customer data is transferred outside the European Union as part of platform operations. For sub-processors located outside the EU (SendGrid, Sentry, Intercom, Fivetran, OpenAI, Anthropic — six in total), Standard Contractual Clauses are in place. The complete sub-processor list with transfer mechanisms is published at /trust/subprocessors.
GCP dependency — transparent disclosure
S3NS is built on Google Cloud Platform infrastructure. In the scenario of a sustained loss of GCP availability in the primary Paris region, Flowie's disaster-recovery posture relies on Google Cloud's own multi-region redundancy and our separately hosted Belgium DR environment. We do not operate our own independent physical datacenter. If your organisation's threat model requires infrastructure independence from any hyperscaler, this is the honest disclosure of our architecture. Service availability commitments are documented in our SLA.
Section 04 · Access controls
Access and identity controls.
Production access
Every individual who accesses a production system at Flowie does so through a verified, multi-factor-authenticated session. There are no shared credentials and no bypass paths for administrators. This is enforced at the identity provider level, not by policy.
MFA Enforced
All production access requires multi-factor authentication. No exceptions for administrators or emergency access paths.
RBAC — Least Privilege
Role-based access control is applied across all systems. Users receive the minimum permissions required for their function. Elevated permissions require documented justification.
Joiner-Mover-Leaver (JML)
Access provisioning and deprovisioning follows a formal JML process tied to HR events. Offboarding triggers immediate access revocation. Accounts are not repurposed.
Periodic Access Reviews
Access rights are reviewed periodically across all systems. Reviews cover both human users and service accounts.
SAML/SSO for Customer Tenants
Customer tenants can configure SAML-based single sign-on via Auth0. This means your corporate identity provider — Okta, Azure AD, Google Workspace, OneLogin — governs who can access your Flowie tenant without Flowie holding a separate credential store.
Cryptography standards
| Domain | Standard |
|---|---|
| Data at rest | AES-256 |
| Data in transit | TLS 1.2 minimum, TLS 1.3 preferred |
| Asymmetric key exchange — RSA | 2048-bit minimum |
| Asymmetric key exchange — ECC | 256-bit minimum |
| Alignment | NIST cryptographic guidelines |
Cryptography choices follow Flowie's Cryptography Policy, one of the 14 documented BSI-style information security policies maintained under the ISMS. Key management, certificate lifecycle, and algorithm selection are covered in that policy, available under NDA.
Section 05 · ISMS
ISMS policies.
Flowie maintains 14 information security policies modelled on BSI-style documentation, plus 13 numbered ISMS operational documents (00 through 12). All are maintained under the ISO 27001:2022 Statement of Applicability.
The 14 policies
- 01Information Security Policy
- 02Asset Management Policy
- 03Access Control Policy
- 04Cryptography Policy
- 05Operations Security Policy
- 06Secure Development Policy
- 07Incident Response Plan
- 08Business Continuity and Disaster Recovery Plan
- 09Physical Security Policy
- 10Human Resource Security Policy
- 11Third-Party Management Policy
- 12Data Management Policy
- 13Risk Management Policy
- 14GDPR Compliance Policy (+ dedicated GDPR Incident Response Plan)
The 13 ISMS operational documents
The numbered ISMS documents cover: ISMS master document list, ISMS scope, ISMS policy, roles and responsibilities, risk assessment and treatment process, control of documented information, security communication plan, internal audit procedure, management review procedure, corrective action and continual improvement procedure, information security objectives plan, Statement of Applicability, and relevant laws and regulations register.
All 27 documents (14 policies + 13 ISMS docs) are available under NDA upon request. Provide a signed NDA and a specific list of documents relevant to your assessment, and we will deliver them within five business days. We do not share these documents publicly because several contain internal architectural and procedural detail that would reduce their protective value if disclosed.
To request access: security@flowie.fr.
Section 06 · Vulnerability management
Vulnerability management.
Annual independent penetration test
Flowie commissions an independent penetration test annually. The test covers the application layer, authentication flows, API endpoints, and infrastructure configuration. ⚠️ The current test vendor and most recent test date will be disclosed under NDA as part of the full security pack — these details are intentionally withheld from the public page to avoid providing advance information to potential adversaries.
Findings from each annual test are tracked through to remediation. Critical and high-severity findings are addressed before the test report is filed. The full report — including findings, CVSS scores, and remediation evidence — is available under NDA.
Continuous scanning — Detectify
Detectify runs continuous automated vulnerability scanning against Flowie's production environment. Detectify is an external attack surface monitoring platform that replicates attacker reconnaissance techniques, covering web application vulnerabilities, exposed configurations, and surface-level misconfigurations. Scans run continuously, with findings reviewed by the security team. Historical Detectify scan reports are on file.
Internal audit
Flowie completed an internal information security audit in 2023. The internal audit report is on file. Annual surveillance audits under the ISO 27001 programme are ongoing.
Responsible disclosure
If you discover a security vulnerability in Flowie's platform, application, or infrastructure, report it to security@flowie.fr. We acknowledge reports promptly and provide regular status updates as we triage and remediate. We coordinate remediation timelines with the reporter and do not pursue legal action against good-faith disclosures.
⚠️ TO VALIDATE: confirm specific acknowledgement and response SLAs with security team before publish (e.g. "1 business day acknowledgement / 5 business day substantive response" was drafted but not validated against actual operational practice).
We do not currently operate a public bug bounty programme. We are scoping a formal bug bounty programme for Q3 2026. Until then, responsible disclosure via security@flowie.fr is the official channel. We recognise this is a gap relative to vendors with mature public programmes, and we are addressing it on a defined timeline.
Section 07 · Incident response
Incident response and breach notification.
24/7 response capability
Flowie maintains a 24/7 incident response team for security incidents. This is not a support queue — it is a dedicated security response function with escalation authority and defined war-room procedures. When a security incident is declared, a dedicated channel is opened, an incident commander is assigned, and the response proceeds according to our documented Incident Response Plan.
Severity tiers
| Severity | Definition | Response posture |
|---|---|---|
| S1 — Critical | Active breach, data exfiltration suspected, production systems compromised | Immediate notification to affected customers, dedicated war-room channel, all-hands response, external forensics if required |
| S2 — High | Confirmed vulnerability with active exploitation potential, significant availability impact | Accelerated response, affected customers notified, remediation on accelerated timeline |
| S3 — Medium | Confirmed vulnerability, no active exploitation, limited impact | Tracked to remediation, customers notified if data is in scope |
| S4 — Low | Informational findings, configuration issues, no direct impact | Tracked through normal change management |
⚠️ TO VALIDATE: specific time-bound SLAs per severity tier (e.g. S2 4h / S3 24h / S4 5 business days) were drafted but not validated against the actual Incident Response Plan. Confirm with security team before publish, or replace with: "Severity-tier response targets are documented in our Incident Response Plan, available under NDA."
GDPR breach notification — 72-hour SLA
This is the provision that most enterprise procurement teams flag first, and rightly so. Under Article 33 of the GDPR, controllers must notify their competent supervisory authority of a personal data breach within 72 hours of becoming aware of it. Flowie, as a processor, must notify the controller without undue delay.
Our GDPR Incident Response Plan — a standalone document separate from the general Incident Response Plan — codifies a 72-hour breach notification SLA from the moment Flowie becomes aware of an incident that may involve personal data. Notification is sent to the customer's designated security or privacy contact, and includes: the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of records affected, likely consequences, and the measures taken or proposed to address the breach.
The 72-hour SLA is not aspirational. It is a documented, tested procedural commitment with defined roles, notification templates, and escalation paths. The GDPR Incident Response Plan is available under NDA.
Post-incident review
Every S1 and S2 incident triggers a post-incident review. The review output feeds directly into the ISO 27001 corrective action procedure, which means findings are tracked, root causes are documented, and control improvements are formally implemented and verified. Security incidents do not close without a corrective action record.
Section 08 · BC/DR
Business continuity and disaster recovery.
Flowie's BC/DR plan has been effective since 2023.
Annual DR test
We conduct an annual disaster recovery test that includes full backup restoration. The test verifies that the documented recovery procedures work as designed — not just that backups exist. Test results are reviewed by the security team and any gaps feed into the corrective action procedure.
Backup architecture
| Attribute | Value |
|---|---|
| Backup frequency | Daily |
| Geographic redundancy | France (primary) + Belgium (DR) |
| Storage isolation | Backups stored separately from primary systems |
| Encryption | Backups encrypted using AES-256 consistent with platform standard |
| Restoration testing | Annual, included in DR test |
| RTO | ⚠️ [RTO TBD — extract from BC/DR Annex B] |
| RPO | ⚠️ [RPO TBD — extract from BC/DR Annex B] |
⚠️ RTO and RPO values must be extracted from BC/DR Annex B before this page goes live. Do not publish placeholder text.
Infrastructure dependency — GCP
As noted in the infrastructure section, our DR posture for a sustained Paris region outage relies on Belgium-region infrastructure and Google Cloud's multi-region redundancy. We are transparent about this dependency. The BC/DR plan contains the documented "loss of GCP availability" scenario with specific response procedures.
Section 09 · AI data handling
AI data handling.
This section warrants specific attention during enterprise procurement. Flowie uses AI for document processing — extracting structured information from invoices, classifying document types, supporting workflow automation decisions. Three AI sub-processors are in scope.
The three AI sub-processors
| Provider | Location | Data residency |
|---|---|---|
| OpenAI | USA | Data processed under SCCs |
| Mistral AI | France (Paris) | Full EU data residency |
| Anthropic | USA | Data processed under SCCs |
Mistral AI deserves specific mention. Mistral AI is a French AI company, headquartered in Paris, with full EU data residency for API workloads. For French enterprise customers and organisations with strict EU sovereignty requirements, Mistral AI provides an AI processing path that never leaves the EU. This is not a marketing claim — it reflects the physical location of Mistral's inference infrastructure and the absence of non-EU data transfer.
What AI processes — and what it does not
All three AI sub-processors process descriptive text only. This is a deliberate architectural constraint, not a configuration setting.
AI models receive: document descriptions, supplier names, line item descriptions, date fields, and other textual metadata. They do not receive, and are architecturally isolated from: financial amounts, IBANs, bank account numbers, payment references, and any numerical financial data.
This constraint is maintained at the data preparation layer — financial fields are stripped before any data is passed to an AI provider. It is not a policy for humans to follow; it is a system boundary.
Zero retraining commitment
All three AI sub-processors — OpenAI, Mistral AI, and Anthropic — are contractually committed to zero retraining with Flowie customer data via their enterprise API agreements. Data submitted through API endpoints is not used to train or fine-tune the underlying models. The relevant contractual provisions are available under NDA as part of the sub-processor documentation.
Why this matters in procurement: The concern most CISOs raise about AI is not the current processing — it is whether their data compounds into the model and becomes accessible to other customers. The answer here is: it does not. This is a contractual commitment from each provider, not an operational assumption.
Section 10 · Compliance
Compliance posture.
| Framework or requirement | Status |
|---|---|
| ISO/IEC 27001:2022 | Certified — certificate #122245 |
| GDPR | Compliant · Data Processing Agreement available in English and French (May 2025) |
| French e-invoicing Plateforme de Dématérialisation Partenaire (PDP) | Certified — December 2025 |
| Peppol BIS Billing 3.0 | Compliant |
| EU Standard Contractual Clauses | In place for all non-EU sub-processors |
| Vanta | Trust report managed via Vanta — available upon request |
| French PSSI (Politique de Sécurité des Systèmes d'Information) | Aligned — documented in internal PSSI |
Data Processing Agreement
A bilingual Data Processing Agreement (DPA) is available in English and French, both updated May 2025. The DPA covers the requirements of Article 28 GDPR, specifies the sub-processor list, governs international data transfers via SCCs, and includes Flowie's obligations on breach notification, data subject rights assistance, and data deletion at contract end. The DPA can be countersigned as an annex to the commercial agreement.
To request the DPA: security@flowie.fr or via /contact?intent=security.
French PDP certification
Flowie achieved PDP (Plateforme de Dématérialisation Partenaire) certification in December 2025, qualifying the platform for French e-invoicing flows under the XP Z12-014 technical standard and the 2026 regulatory mandate. This certification is independent of ISO 27001 but demonstrates that Flowie's data handling and transmission practices have been assessed by a competent certifying body under French fiscal and electronic invoicing regulation.
Section 11 · FAQ
Frequently asked questions.
Is Flowie SOC 2 certified?
No. We do not currently hold SOC 2 Type II certification. We are scoping a SOC 2 Type II programme targeting completion in Q3 2026. In the interim, we hold ISO/IEC 27001:2022 certification (certificate #122245), a Cybervadis Mature rating of 878/1000, and Stage 1 and Stage 2 audit reports available under NDA. The ISO 27001 certification covers substantially the same security control territory as the SOC 2 Trust Services Criteria. We will provide a written update when the SOC 2 programme completes.
Where is our data stored?
All customer data is stored in the EU. Primary datacenter: Paris, France, on S3NS sovereign cloud (Google + Thales partnership). Disaster-recovery datacenter: Belgium. Backups are geographically redundant across France and Belgium, stored separately from primary systems. No customer data is routed outside the EU during normal platform operations. For the 6 sub-processors located outside the EU (SendGrid, Sentry, Intercom, Fivetran, OpenAI, Anthropic), data transfers are governed by Standard Contractual Clauses. The complete sub-processor list with transfer mechanisms is at /trust/subprocessors.
Do you retrain AI models on our data?
No. All three AI sub-processors Flowie uses — OpenAI, Mistral AI, and Anthropic — are contractually committed to zero retraining with data submitted through their enterprise APIs. Your invoice data does not contribute to model training or fine-tuning. Additionally, AI sub-processors receive only descriptive text fields. Financial amounts, IBANs, and account numbers are stripped at the data preparation layer and never sent to any AI provider. The contractual commitments are available for review under NDA.
What is your incident response time?
Severity 1 (critical) incidents trigger immediate customer notification and a dedicated war-room response from our 24/7 security team. For incidents involving personal data, our GDPR Incident Response Plan mandates customer notification within 72 hours of Flowie becoming aware of the incident, consistent with Article 33 GDPR. ⚠️ TO VALIDATE: specific severity-tier response SLAs (S2/S3/S4) are documented in our Incident Response Plan, available under NDA — confirm with security team before publishing specific time-bound numbers. Service availability commitments are documented separately in our SLA.
What is your encryption standard?
Data at rest is encrypted with AES-256. Data in transit uses TLS 1.2 minimum, with TLS 1.3 preferred. Asymmetric key operations use RSA with a minimum 2048-bit key length or ECC with a minimum 256-bit key length. Cryptographic standards follow NIST guidance and are documented in Flowie's Cryptography Policy, part of the 14-document ISMS policy set available under NDA.
How do you handle access for ex-employees?
Access revocation follows a formal Joiner-Mover-Leaver (JML) process. When an employee's contract ends — regardless of whether the departure is planned or immediate — access to all production systems, internal tools, and customer environments is revoked. The JML procedure is tied to HR contract end events, not to an ad-hoc checklist. Service accounts and API tokens associated with a departing employee are also rotated. The JML process is governed by Flowie's Human Resource Security Policy and Access Control Policy, both available under NDA.
Are your sub-processors certified?
Yes, all 9 named sub-processors hold independent security certifications. GCP/S3NS holds ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, and SecNumCloud certification from ANSSI. Auth0 (Okta) holds ISO 27001 and SOC 2 Type II. OpenAI holds SOC 2 Type II. Mistral AI is GDPR-compliant with full EU data residency. Anthropic holds SOC 2 Type II. The full sub-processor list with certifications, data residency details, and transfer mechanisms is at /trust/subprocessors.
Can you share your full audit report?
Yes, under NDA. Stage 1 audit report, Stage 2 audit report, Stage 1 finding sheet, Stage 2 finding sheet, internal audit report (2023), Detectify scan report, and Cybervadis executive report (878/1000) are all on file and available to qualified prospects and customers under a signed NDA. To request access, contact security@flowie.fr or submit a request at /contact?intent=security. ⚠️ TO VALIDATE: confirm response SLA for security pack requests with ops team before publishing specific number.
How do I report a security vulnerability?
Email security@flowie.fr with a description of the vulnerability, the affected component, steps to reproduce if possible, and your contact information for follow-up. We acknowledge reports promptly and provide regular status updates as we triage and remediate. We coordinate remediation timelines with the reporter and follow coordinated vulnerability disclosure principles. We do not pursue legal action against good-faith security research. A formal public bug bounty programme is planned for Q3 2026.
What's your penetration testing schedule?
We conduct an annual independent penetration test. The test covers application-layer vulnerabilities, authentication mechanisms, API endpoints, and infrastructure configuration. The specific test vendor and most recent test dates are disclosed under NDA as part of the full security pack — withholding them from the public page reduces information asymmetry with potential adversaries. Critical and high findings from each test are remediated before the report is filed. Full test reports including findings, CVSS scores, and remediation evidence are available under NDA.
Verify, don't just trust.
Request the full security pack — ISO 27001 certificate, Stage 1 and Stage 2 audit reports, Cybervadis executive report, pentest summary, GDPR DPA, and ISMS policy excerpts — all available under NDA.
ISO 27001
GDPR
CyberVadis
PA Certified
Peppol
Or report a security vulnerability directly: security@flowie.fr