Security & privacy
Peace of mind starts with trust. At Florbs, we prioritize security and privacy of your data, so you can focus on what matters most. Learn more about our robust security measures.
Security
Product security
At Florbs, we understand that trusting a SaaS platform with your data is a big decision. That’s why we take product security incredibly seriously.
Testing and security audits
At Florbs, we prioritize the security and efficiency of our deployments. That’s why we leverage Continuous Integration and Continuous Delivery (CI/CD) pipelines to automate the process from code commit to production release.
We understand that every deployment carries a potential risk. To mitigate this, we’ve implemented a comprehensive security strategy. This includes scanning our entire technology stack – from infrastructure to application code – with every deployment to production.
We achieve this by combining the power of open-source security tools with our own custom-developed automation. This ensures a completely automated and secure deployment process, giving you peace of mind.
Secure coding practices
Secure coding practices are essential for developing software that is resistant to attacks and data breaches. These practices are integrated throughout the development lifecycle, starting from the early stages of analysis and design. Some principles we use in our development life cycle are:
Never trust user input: We always validate and sanitize user input to prevent malicious code injection and other attacks.
Validate sessions: We verify user identity and session validity before granting access to sensitive resources.
Secure authentication: We use strong authentication mechanisms to protect user accounts. We use Sign in with Google as a primary authentication method. To enhance security further, we incorporate additional steps for our backend to listen to Firebase Authentication using Bearer tokens and other security protocols. This ensures a more robust and secure authentication process beyond the basic Google Sign-In functionality.
Deny by default: We implemented a “deny by default” approach, where access is granted only to authorized users and resources.
Principle of least privilege: In Florbs, you are able to grant users only the minimum privileges necessary to perform their tasks.
Signed commits: We use signed commits to ensure the integrity of code changes.
Code quality and bug prevention: We implemented code review processes, static code analysis tools, and quality gates to identify and address potential bugs and security vulnerabilities.
Continuous vulnerability scanning: Vulnerabilities can arise every day, that’s why we have implemented active scanning tools to identify vulnerabilities as early as possible.
Dependency management: We keep dependencies up-to-date and scan for vulnerabilities and deprecations regularly.
Enterprise-grade infrastructure
Florbs leverages Google Cloud Platform’s (GCP) best-in-class infrastructure. Their robust and geographically distributed network offers exceptional security, reliability, and scalability.
Our services are deployed within the EU in the region europe-west1 (Belgium). Data is stored multi-regional within the EU. GCP’s data centers boast industry-leading security and compliance certifications, including SOC 2, PCI DSS, DORA and ISO/IEC 27001. This secure hosting environment guarantees the resilience, security, and scalability of our applications to seamlessly adapt to our evolving needs.
Florbs utilizes serverless architectures to ensure our applications can effortlessly scale. This approach translates to high service reliability and operational efficiency. The entire infrastructure is managed with terraform. We have secure coding practices in place, including code reviews and quality gates before we make any changes in production.
Backup & resiliency
Florbs leverages multi-regional databases, a key factor in our reliability. This redundancy ensures data remains accessible even in the event of a regional disruption. Terraform allows us to start the whole environment in another location. For the unlikely event of a disruption of the data we implemented a two-tiered backup strategy to ensure your information remains protected:
Recoverable Google Workspace data: For data available through Google Workspace APIs, we bypass backups. Instead, we read metadata from the APIs to ensure we have the most up-to-date data available.
Application specific data: Data exclusive to our application benefits from robust backups. We maintain point-in-time recovery options for up to 7 days, allowing us to restore data to a specific historical point. Additionally, daily backups are stored, providing a comprehensive safety net.
Incident Recovery Plan: We have an Incident Recovery Plan (IRP) in place which provides clear guidelines on how we can restore services in the event of an incident. Disaster recovery plans are tested regularly.
Sub-processors
We strictly select and periodically evaluate all of our partners. This ensures they comply with industry-standard data protection regulations like SOC 2 and/or ISO 27001. This rigorous approach minimizes potential risks from third-party involvement and guarantees our sub-processors uphold the same strict data security and privacy standards we adhere to.
Sub-processor agreements reflect our commitment to data privacy and security. These agreements outline stringent data handling and security protocols. We share only the minimum essential information with our sub-processors, safeguarding customer data throughout our entire supply chain.
Operational security
Our team continuously implements new safeguards and monitors Florbs for malicious activity across the entire platform.
Network security
Segmentation & firewalls: Florbs uses a multi-tier approach, using segmentations for frontend, apis and backend workers. This restricts traffic flow, preventing unauthorized access to sensitive systems. Firewalls are implemented at each network segment which defines rules allowing only authorized traffic between services.
Secure communication: We enforced HTTPS communication across all tiers. HTTPS uses TLS/SSL encryption to secure data transmission and prevent eavesdropping or man-in-the-middle attacks.
Monitoring and logging: Florbs continuously monitor network activity for suspicious behavior. We implemented logging systems to track user access, API requests, and system events. This helps identify and respond to security incidents promptly.
Endpoint security
At Florbs, we understand the importance of safeguarding your data at every touchpoint. That’s why we prioritize robust endpoint security to protect user devices.
Advanced threat detection and prevention: We leverage industry-leading solutions like CrowdStrike to proactively identify and neutralize malware, viruses, and other cyber threats. CrowdStrike’s advanced capabilities go beyond traditional antivirus software, providing real-time threat intelligence and comprehensive endpoint protection.
Disk encryption: All user devices are equipped with full-disk encryption. This critical security measure renders data unreadable even if a device is lost or stolen. Encryption ensures your information remains confidential, minimizing the risk of data breaches.
Regular security updates: We ensure consistent updates for operating systems and applications on all devices.
Infrastructure security
We employ a comprehensive set of cybersecurity principles to safeguard your information and ensure the integrity of our systems. These principles form the foundation of our security posture and are essential for protecting against evolving cyber threats.
Principle of least privilege: We adhere to the principle of least privilege, granting users and processes only the minimum access permissions necessary to perform their designated tasks. This minimizes the potential impact of a compromised account or malicious activity.
Fail-safe defaults: Our systems are designed to fail safely, ensuring that even in the event of a security breach, the damage is contained and the system remains operational. This approach minimizes the disruption caused by security incidents.
Defense in depth: We implement a layered defense strategy, employing multiple security measures to protect our systems and data. This includes firewalls, DDoS prevention, encryption, and other security controls. This multi-layered approach makes it more difficult for attackers to penetrate our defenses.
Secure by design: Security is considered from the very beginning of our development process. We incorporate best practices into our design and architecture, proactively identifying and addressing potential vulnerabilities before they can be exploited.
Secure APIs: We recognize the importance of securing our APIs, which serve as gateways to our systems and data. We implement robust authentication and authorization mechanisms to control access to APIs and protect against unauthorized usage.
Continuous monitoring: We continuously monitor our systems and network traffic for suspicious activity. This allows us to detect and respond to security incidents promptly, minimizing the potential damage.
Encryption: We employ encryption throughout our infrastructure to protect data at rest and in transit. This ensures that even if sensitive data is intercepted, it remains unreadable to unauthorized parties.
Secure communication: We enforce secure communication protocols, such as HTTPS, for all network traffic. This protects data from interception and eavesdropping.
By adhering to these essential cybersecurity principles, we create a robust and resilient security posture that safeguards your data and ensures the integrity of our systems. We are committed to continuous improvement and regularly review our security practices to adapt to evolving threats and maintain the highest level of protection for our customers.
Access control
We understand that not every employee requires access to the same information. That’s why we implement a robust access control and data classification system based on key principles: Role-Based Access Control (RBAC), Least privilege and Need-to-know.
Role-Based Access Control (RBAC): We define employee roles based on job functions and responsibilities. Each role is then granted specific permissions to access the resources they need to perform their tasks effectively. No extra access, no unnecessary exposure.
Least Privilege: Employees are granted only the minimum level of access needed to fulfill their designated tasks. This significantly reduces the potential damage if an employee account is compromised or misused.
Need-to-Know: Beyond roles, we consider the “need-to-know” principle. Even within a role, access may be further restricted based on a user’s specific needs. This granular control ensures only authorized individuals have access to sensitive data relevant to their job duties.
At Florbs, access control is just one aspect of our comprehensive security strategy. We continuously evaluate and improve our security posture to ensure the highest level of protection for your data.
Application security
Our Secure coding practices cover the basic principles we use during development. Besides these principles we have additional security systems in place to mitigate potential risk.
Software Development Lifecycle (SDLC)
At Florbs, we prioritize secure coding practices throughout the entire Software Development Lifecycle (SDLC). This ensures code is written secure, maintainable, and free of vulnerabilities. After code completion, we perform code reviews, static code analysis, quality gates, dependency vulnerability scanning and penetration tests (if applicable).
Acceptance tests
Before deploying new features into production an acceptance test is required to ensure that the new functionality is ready to deploy and meets the needs of the end-users.
Credential management
Florbs uses Google-managed encryption keys. Google automatically rotates encryption keys used in the Google-managed encryption process every 90 days. This ensures enhanced security for your data by limiting the time a single key is active. Keys are assigned to specific roles.
Vulnerability management
Vulnerability scanning covers all tiers of our application stack, including code vulnerabilities, dependency vulnerabilities, and container vulnerabilities. This task is completely automated and runs regularly, at least once per deployment. Based on the results, recommendations will be provided on how to address vulnerabilities, such as updating libraries or upgrading packages.
Policies and procedures
Formalized Guidelines: We have established comprehensive data security policies and procedures that govern how we collect, store, use, and dispose of your information. These policies cover not only data handling but also:
Incident Response: We have a well-defined incident response plan that outlines the steps we take to identify, contain, and recover from data security incidents. This ensures we respond promptly and effectively to minimize any potential damage.
Access Control: We implement robust access controls to restrict access to sensitive data. This includes user access management, role-based permissions, and data encryption.
Data Retention and Disposal: We have clear policies for data retention that dictate how long we store your data. We also have secure procedures for data disposal to ensure your information is permanently erased when it’s no longer required.
Employee Training: Our employees are trained on our data security policies and procedures, including incident response protocols. This ensures everyone at Florbs understands their role in protecting your data.
Regular Reviews: We regularly review and update our data security policies and procedures to keep pace with evolving threats and industry’s best practices.
Privacy
How we handle your data
We prioritize transparency and want you to feel confident about how your information is handled. Here’s a breakdown of our practices:
Data collection
We only collect the data necessary to provide our services.
We communicate what data we collect and why during the signup process.
Data security
We employ industry-leading security practices to safeguard your information. This includes encryption at rest and in transit, secure access controls, and regular security assessments.
We leverage secure cloud infrastructure with robust certifications to ensure the physical and digital security of your data.
Data use
We use your data solely to deliver our services, improve our platform, and provide you with relevant communications.
We never sell or share your data with third parties without your explicit consent.
Data retention
We retain your data only for as long as it’s necessary to fulfill the purposes outlined above.
We have clear procedures for data deletion upon request or account removal.
Transparency
We are committed to transparency and maintain a comprehensive privacy policy outlining our data practices.
We adhere to industry regulations and best practices regarding data protection, as demonstrated by our ISO 27001 certificate.
Our commitment
We are dedicated to safeguarding your data, continuously reviewing and updating our security practices to address evolving threats.
If you have any questions about our data handling practices, please contact us. We are committed to ensuring you feel secure using Florbs.
Training and awareness
At Florbs, we have a solid information security policy in place. To ensure it is followed, we provide our employees with monthly security awareness training. The training is different each month and covers relevant aspects of our policy, keeping employees informed and vigilant.
We also conduct regular internal phishing simulations to evaluate how well employees manage phishing threats. The results highlight areas for improvement and provide targeted feedback to boost security awareness.
This approach ensures that information security is a continuous, integrated effort across the organization.
GDPR
At Florbs, we take data privacy seriously and are committed to complying with the General Data Protection Regulation (GDPR). This regulation, enforced by the European Union, empowers individuals with control over their personal data and sets high standards for data protection.
Transparency and consent: We communicate what data we collect, why we collect it, and how we use it. We only process your data with your explicit consent.
Data minimization: We collect only the data necessary to provide our services and fulfill your requests.
Data security: We implement robust security measures to protect your data from unauthorized access, disclosure, alteration, or destruction.
Your rights: You have the right to access, rectify, erase, and restrict the processing of your personal data.
Data breach notification: In the event of a data breach, we will promptly notify you and the relevant authorities as required by GDPR.
We have established clear procedures for handling your GDPR requests. Contact our dedicated Data Protection Officer (DPO).
Compliance
ISO 27001
Florbs has achieved ISO 27001 certification. External audits, such as ISO 27001 provide extra validation for our efforts to protect our customers’ information. We adhere to globally accepted practices for managing and securing information. We are committed to maintaining high standards of security, safeguarding sensitive data, and ensuring robust measures are in place to protect customer data.
