Order processing contract (AVV)
We conclude an order processing contract with all our customers in accordance with the guidelines of the GDPR in order to contractually record the processing of personal data. The purpose of data processing, type of data, groups of persons concerned, Flexopus sub-suppliers and the rights of data subjects are set out in this contract.
Flexopus was certified by TÜV Rheinland in accordance with ISO 27001:2022. The certification ensures a standardized and maintained information security management system (ISMS).
Hosted in Germany (EU)
Your data is safe with us. Flexopus is operated exclusively on Hetzner servers in the Federal Republic of Germany, meaning that your data does not leave the country under any circumstances. Hetzner is ISO 27001 certified, which meets the highest requirements for IT security processes and information security management systems.
100% GDPR compliant
Flexopus complies 100% with the GDPR guidelines and consistently implements the following guidelines in particular:
- Conclusion of AV contracts (order processing) in accordance with Article 28 (3) GDPR
- Anonymization and no purpose-free storage of personal and personal data
- No data exchange with third parties or data transfers across national borders
- Regular training of all employees on data protection, data security and privacy
- Continuous development of safety standards in the form of audits and the adjustment of our documentation, processes, structures or functionalities as well as technical and organizational measures
Flexopus is developed according to the concepts of “privacy by default” and “privacy by design” and therefore takes data protection into account from start to finish.
Purpose-specific data storage
The stored personal data is used exclusively for a specific purpose.
With Flexopus, you determine after which period of time personal data is anonymized or removed from the system. However, for utilization analyses, you will still receive booking details such as the start and end time of a booking.
However, these can no longer be traced back to a specific person. This allows you to keep track of the utilization of available resources in order to optimize your office and at the same time protect sensitive data about your employees.
Encrypted data transfer
The data is encrypted during transmission using the TLS process, which is also used for online shopping or online banking. The integrity of the encryption can be found here (https://www.ssllabs.com/ssltest/analyze.html?d=demo.flexopus.com) are verified.
With Flexopus, you decide whether bookings for workstations or other objects should be visible to all employees in your company or not. Although we recommend this in a company's collaborative environment, in special cases it may make sense to let users decide for themselves whether the booked seat is visible to others.
Backups with data-at-rest encryption
Flexopus is a cloud solution that is hosted on a dedicated server. The databases of our customers are backed up daily. Backups are stored for 30 days with data-at-rest encryption on a server in Germany, regardless of location. The data is then deleted.
Audits & Penetration Tests
Our development team ensures that the application is developed release by release by following internal security guidelines:
- Internal manual audits
Four-eye principle in development, code reviews, functional testing, security audits from our experts
- Automated internal audits
Code analyses, system logs, application logs, code quality checks
- External audits/penetration tests
Thanks to our customers, the software is audited by an independent third party in irregular circumstances, but at least twice a year. Penetration tests are carried out by our customers as part of the usual assessment and approval processes.
Careful selection of suppliers
Flexopus pays particular attention to data protection and reliability when selecting sub-suppliers. We only select sub-suppliers from the EU:
- Server provider: Hetzner Online GmbH
The application is hosted on a dedicated server cluster in Falkenstein. Our backup infrastructure is set up in Nuremberg.
- SMTP provider
As our primary SMTP provider, we use RapidMail based in Germany. As a secondary SMTP provider, we use MailJet based in France.
- Development team
The developers and software sub-suppliers are based exclusively in the EU.
The application is constantly tested for security through internal and external audits. As part of our development, potential security gaps and functions for improving data protection at the infrastructure level and the application itself are being improved release by release. Release notes are published continuously for greater transparency with our customers.
The open source components used are regularly updated. A list of the open source components used is provided in the application for administrators.
Contracts under German law
The Firm Flexopus GmbH is headquartered in Stuttgart, Germany. Contracts are concluded exclusively in accordance with German law. Made in Germany. Hosted in Germany.