GDPR Compliance at FacilityFlow

FacilityFlow is committed to protecting the privacy and personal data of our European customers. We've built privacy into our platform from the ground up and provide all the tools you need for GDPR compliance.

Contact DPO
Home Page Hero

Our GDPR Commitment

FacilityFlow as Data Processor

When you use FacilityFlow, you (the customer) are the Data Controller, and FacilityFlow acts as your Data Processor. This means:

  • You decide what personal data is stored in FacilityFlow
  • You determine the purposes for which data is processed
  • We process data only on your documented instructions
  • We provide the technical and organizational measures to protect data

We do not sell, share, or use your data for any purpose other than providing the FacilityFlow service.

GDPR Key Facts

  •  Data Processing Agreement (DPA) Available
  • Standard Contractual Clauses (SCCs) Included
  • EU Data Residency Option (Frankfurt, Germany)
  • Appointed EU Representative
  • Designated Data Protection Officer
  • 72-Hour Breach Notification Commitment
  • Privacy by Design Architecture
  • Annual Privacy Impact Assessments

Supporting Data Subject Rights

FacilityFlow provides the technical capabilities to fulfill data subject requests under GDPR.

Eye

Right of Access

Data subjects can request access to their personal data. FacilityFlow provides export functionality in JSON and CSV formats. Feature: Self-service data export via admin portal

Right to Rectification

Right to Rectification

Incorrect data can be corrected directly in the platform or by administrators upon request. Feature: Edit any record in real-time

Right to Erasure

Right to Erasure

Personal data can be deleted upon request. Anonymization options available for audit trail preservation. Feature: Delete or anonymize personal records

Right to Restrict Processing

Right to Restrict Processing

Data processing can be temporarily suspended while disputes are resolved. Feature: Account suspension and data archival

Right to Data Portability

Right to Data Portability

Export all personal data in machine-readable formats (JSON, CSV, XML) for transfer to another service. Feature: Bulk data export with structure preservation

Right to Object

Right to Object

Data subjects can object to specific processing activities. We provide granular consent management. Feature: Consent tracking and preference management

Technical & Organizational Measures

Article 32 of GDPR requires appropriate security measures. Here's how FacilityFlow protects personal data.

  • Category:- Encryption Measure:- Data at rest Details:- AES-256-GCM encryption
  • Category:- Encryption Measure:- Data in transit Details:- TLS 1.3 with PFS
  • Category:- Access Control Measure:- Authentication Details:- MFA, SSO, password policies
  • Category:- Access Control Measure:- Authorization Details:- RBAC, row-level security
  • Category:- Pseudonymization Measure:- Personal data Details:- Anonymization tools available
  • Category:- Resilience Measure:- Backups Details:- Daily encrypted backups, 30-day retention
  • Category:- Resilience Measure:- Disaster recovery Details:- <4 hour RTO, geographic redundancy
  • Category:- Testing Measure:- Penetration testing Details:- Annual third-party testing
  • Category:- Testing Measure:- Vulnerability scanning Details:- Continuous automated scanning
  • Category:- Monitoring Measure:- Audit logging Details:- 365-day retention, tamper-evident

EU Data Residency

Keep your data within the European Union.

For EU customers, FacilityFlow offers data residency in Microsoft Azure's Frankfurt (Germany) data center region. This ensures your data:

  • Never leaves the European Union
  • Is subject to EU data protection laws
  • Complies with local data sovereignty requirements
  • Benefits from Azure's EU-specific compliance certifications

Data Residency Includes:

  • Primary database storage
  • Backup storage
  • File attachments
  • Log data
  • Session data
EU Data Center.png

Note: Some metadata (e.g., support tickets, billing) may be processed in other regions. Details are provided in our DPA.

Data Processing Agreement (DPA) & GDPR Contacts

Our DPA meets GDPR requirements and includes Standard Contractual Clauses.

What's Included in Our DPA:

  • Clear definitions of controller/processor roles
  • Description of processing activities
  • Security obligations and measures
  • Sub-processor list and approval process
  • Standard Contractual Clauses (SCCs) - 2021 version
  • Data subject rights cooperation
  • Breach notification procedures
  • Audit rights and procedures
  • Data deletion/return upon termination

Sub-Processors:

FacilityFlow uses a limited number of sub-processors. All sub-processors are bound by equivalent data protection obligations:

  • Microsoft Azure (Infrastructure hosting)
  • [Email Service Provider] (Transactional emails)
  • [Support Platform] (Customer support)

Ready to Execute a DPA? Customers can sign our DPA electronically. Prospective customers can review our template DPA.

GDPR FAQ's