Data protection and privacy at Flexopus

Your data belongs to you and no one else. The Flexopus workplace booking system was developed in Germany in compliance with the highest standards and is a leader in data protection, data security & privacy.

Order processing contract (AVV)

We conclude an order processing contract with all our customers in accordance with the guidelines of the GDPR in order to contractually record the processing of personal data. The purpose of data processing, type of data, groups of persons concerned, Flexopus sub-suppliers and the rights of data subjects are set out in this contract.

ISO 27001

Flexopus was certified by TÜV Rheinland in accordance with ISO 27001:2022. The certification ensures a standardized and maintained information security management system (ISMS).

Hosted in Germany (EU)

Your data is safe with us. Flexopus is operated exclusively on Hetzner servers in the Federal Republic of Germany, meaning that your data does not leave the country under any circumstances. Hetzner is ISO 27001 certified, which meets the highest requirements for IT security processes and information security management systems.

100% GDPR compliant

Flexopus complies 100% with the GDPR guidelines and consistently implements the following guidelines in particular:

  • Conclusion of AV contracts (order processing) in accordance with Article 28 (3) GDPR
  • Anonymization and no purpose-free storage of personal and personal data
  • No data exchange with third parties or data transfers across national borders
  • Regular training of all employees on data protection, data security and privacy
  • Continuous development of safety standards in the form of audits and the adjustment of our documentation, processes, structures or functionalities as well as technical and organizational measures

Flexopus is developed according to the concepts of “privacy by default” and “privacy by design” and therefore takes data protection into account from start to finish.

Purpose-specific data storage

The stored personal data is used exclusively for a specific purpose.

Data anonymization

With Flexopus, you determine after which period of time personal data is anonymized or removed from the system. However, for utilization analyses, you will still receive booking details such as the start and end time of a booking.

However, these can no longer be traced back to a specific person. This allows you to keep track of the utilization of available resources in order to optimize your office and at the same time protect sensitive data about your employees.

Encrypted data transfer

The data is encrypted during transmission using the TLS process, which is also used for online shopping or online banking. The integrity of the encryption can be found here ( are verified.

Employee privacy

With Flexopus, you decide whether bookings for workstations or other objects should be visible to all employees in your company or not. Although we recommend this in a company's collaborative environment, in special cases it may make sense to let users decide for themselves whether the booked seat is visible to others.

Backups with data-at-rest encryption

Flexopus is a cloud solution that is hosted on a dedicated server. The databases of our customers are backed up daily. Backups are stored for 30 days with data-at-rest encryption on a server in Germany, regardless of location. The data is then deleted.

Audits & Penetration Tests

Our development team ensures that the application is developed release by release by following internal security guidelines:

  • Internal manual audits
    Four-eye principle in development, code reviews, functional testing, security audits from our experts
  • Automated internal audits
    Code analyses, system logs, application logs, code quality checks
  • External audits/penetration tests
    Thanks to our customers, the software is audited by an independent third party in irregular circumstances, but at least twice a year. Penetration tests are carried out by our customers as part of the usual assessment and approval processes.

Careful selection of suppliers

Flexopus pays particular attention to data protection and reliability when selecting sub-suppliers. We only select sub-suppliers from the EU:

  • Server provider: Hetzner Online GmbH
    The application is hosted on a dedicated server cluster in Falkenstein. Our backup infrastructure is set up in Nuremberg.
  • SMTP provider
    As our primary SMTP provider, we use RapidMail based in Germany. As a secondary SMTP provider, we use MailJet based in France.
  • Development team
    The developers and software sub-suppliers are based exclusively in the EU.

Evolving safety

The application is constantly tested for security through internal and external audits. As part of our development, potential security gaps and functions for improving data protection at the infrastructure level and the application itself are being improved release by release. Release notes are published continuously for greater transparency with our customers.

The open source components used are regularly updated. A list of the open source components used is provided in the application for administrators.

Privacy statements

Use our privacy policy, which is generated automatically, or upload your own document. You should also decide whether you want to obtain confirmation of consent from all employees.

Contracts under German law

The Firm Flexopus GmbH is headquartered in Stuttgart, Germany. Contracts are concluded exclusively in accordance with German law. Made in Germany. Hosted in Germany.

Book a non-binding appointment!

Would you like to learn more about Flexopus, features and pricing, or schedule a demo call? We would be happy to advise you and find the perfect solution for you.