SECURITY & COMPLIANCE

Security & Data Protection

Built for healthcare. Hosted in Germany. Your data stays yours.

Talk to Us View Pricing

German servers

Encrypted at rest & in transit

GDPR-designed workflows

DPA available

Infrastructure

Where your data lives and how it is protected.

German server locations

All patient data is stored on servers located in Germany, subject to strict EU data protection regulations.

Encrypted at rest & in transit

Data is encrypted using industry-standard TLS for transmission and AES-256 encryption for storage. No unencrypted patient data leaves the system.

No third-party data sharing

Patient data is never sold, shared with, or disclosed to third parties. Your data is processed solely for the services you use.

GDPR Compliance

Designed to meet the requirements of the EU General Data Protection Regulation.

Privacy by design

Flowmatix is built with data minimization and purpose limitation at its core. We collect only the data necessary for clinic operations, and consent is obtained before processing sensitive patient information.

Consent-first workflows for patient data collection
Purpose-limited processing tied to specific clinic operations
Transparent data handling with clear privacy notices

Data subject rights

Patients and clinics retain full control over personal data at all times.

Right to accessSupported

Right to deletionSupported

Data portabilitySupported

DPA availableOn request

Access Control

Granular permissions and full visibility into who accesses what.

Role-based access

Define who can view, edit, or manage patient data. Assign roles like Admin, Operator, or Viewer to control access at every level.

Audit trail

Every action in the system is logged. Track who accessed patient records, when changes were made, and what was modified.

Session management

Sessions expire automatically after inactivity. Admins can revoke active sessions and manage team permissions from one dashboard.

WhatsApp Security

How the WhatsApp connection is protected end-to-end.

End-to-end encryption

WhatsApp messages are protected by Meta's end-to-end encryption protocol. Message content is encrypted between the patient's device and the clinic's endpoint.

Webhook verification

All incoming webhooks are verified using cryptographic signature validation to ensure data integrity and prevent tampering.

Token management

API tokens are stored encrypted, rotated regularly, and scoped to the minimum permissions required. Access credentials never appear in logs or client-side code.

Certifications & Standards

Our commitment to recognized security frameworks.

GDPR Art. 28 Data Processor

Flowmatix acts as a data processor under GDPR Article 28. We process personal data only on documented instructions from the clinic (the data controller). A Data Processing Agreement (DPA) is available for all customers on request.

Security practices aligned with ISO 27001

Our internal security practices are aligned with the principles of ISO 27001, including access control policies, incident response procedures, and regular security reviews. We are continuously working to strengthen our security posture as we grow.

FAQ

Common questions about data protection and security.

Where is patient data stored?

All patient data is stored on servers located in Germany. Data is encrypted at rest and in transit using industry-standard TLS encryption. We do not transfer patient data outside the EU unless explicitly requested and authorized by the clinic.

Is Flowmatix GDPR compliant?

Flowmatix is designed for GDPR compliance. We implement consent-first workflows, support data subject rights (access, deletion, portability), maintain processing records, and offer a Data Processing Agreement (DPA) to all customers. As a data processor under GDPR Art. 28, we act only on documented instructions from the clinic.

Can patients request data deletion?

Yes. Patients can request deletion of their personal data at any time. Clinics can process deletion requests directly through the Flowmatix dashboard, and we ensure that data is removed from all active systems within the timeframes required by GDPR.

Do you sign a Data Processing Agreement (DPA)?

Yes. A GDPR-compliant Data Processing Agreement is available on request for all customers. The DPA outlines our obligations as a data processor, including data handling procedures, sub-processor disclosure, and security measures.

Who has access to patient conversations?

Access to patient conversations is controlled by the clinic through role-based permissions. Only authorized team members with the appropriate role can view patient data. All access is logged in an audit trail. Flowmatix support staff do not access patient data unless explicitly authorized by the clinic for troubleshooting purposes.

How is the WhatsApp connection secured?

WhatsApp messages are protected by Meta's end-to-end encryption. Flowmatix uses verified webhooks with signature validation to ensure data integrity. API tokens are stored encrypted and rotated regularly. All communication between Flowmatix and the WhatsApp Business API uses HTTPS.

Questions about data protection?

Get in touch to learn more about our security practices or request a Data Processing Agreement.