Customer data lives where you choose. Every action is logged. Every claim is auditable. We sign the boring things in writing.
Independent third-party audit, renewed annually. Evidence pack available under NDA.
In flight — targeted Q4 2026. Pre-audit complete.
Protection of Personal Information Act — South African data residency, retention controls, DSAR in-product.
EU residency · Frankfurt. DPA signed with every customer. Sub-processor list public.
Aligned with ICO guidance. UK customers can opt for UK-only data residency on Enterprise.
California-specific consumer privacy rights for US customers. In-product DSAR.
Every row is scoped at the database — not the app layer. Postgres RLS policies, third-party pen-tested annually. Each tenant gets a per-tenant encryption key.
Flo can only call enabled tools, on records the asking employee can already see. Every call is logged with the user's identity, not Flo's. Per-tool circuit breakers.
Customer prompts and responses are never used for training. Zero-retention API access with our LLM provider. Committed in writing in our DPA.
TLS 1.3 in transit, AES-256 at rest. Per-tenant data encryption keys, rotated quarterly. HSM-backed. Application-level encryption on sensitive columns.
Anomaly detection on access patterns, tool calls, and data exfiltration. Alerts to customer security teams on configurable thresholds. Customer-visible audit log.
Every subprocessor we use, listed publicly. Customer notified 30 days before any change. Override available on Enterprise.
Pick once, lock in. We don't move customer data across regions without explicit consent.
Request our SOC 2 Type II report and DPA under NDA — usually delivered within an hour.