Trust & Security

How FlexiEle protects your employees’ data — certifications, region residency, encryption, access controls and incident response.

ISO/IEC 27001

Information security management certified.

SOC 2 Type 2

Independently audited operating effectiveness.

UK / EU GDPR & India DPDP

Region-resident, lawful-basis processing.

Region residency by default

FlexiEle is built so that HRMS customer data stays in the customer’s own region by default. Employee records do not cross regions in the normal course of operation.

  • European customers — United Kingdom (London, AWS eu-west-2)
  • Indian customers — Mumbai, India (AWS ap-south-1)
  • Other regions — deployed in the nearest AWS region matching local data-residency requirements

Marketing-website data (contact-form, demo bookings) is held centrally in the UK — see the privacy policy for the full breakdown.

Encryption

In transit

  • TLS 1.2+ on all customer-facing endpoints
  • HSTS enforced on the marketing site
  • Certificate transparency monitored

At rest

  • AES-256 on all database storage volumes
  • AWS-managed KMS keys with rotation
  • Encrypted backups in the same region

Access controls

  • Role-based access controls in the application; permissions follow least-privilege.
  • Multi-factor authentication available for all administrative users; required for FlexiEle staff.
  • Production access for FlexiEle engineers is scoped, logged and reviewed quarterly.
  • SSO (SAML/OIDC) supported for enterprise customers.

Backups & disaster recovery

  • Automated daily snapshots of all customer databases, retained for 35 days.
  • Point-in-time recovery available within the retention window.
  • Backups remain in the same region as the source database — they do not cross borders.
  • Documented disaster-recovery runbook with RPO and RTO targets shared with enterprise customers under NDA.

Testing & assessments

  • Annual third-party penetration tests; remediation tracked to closure.
  • Continuous vulnerability scanning of dependencies and infrastructure.
  • Static and dynamic application security testing in CI.
  • Summary reports available to enterprise customers under NDA.

Sub-processors

We engage a small number of trusted sub-processors for infrastructure, email and analytics. The full list, with each sub-processor’s purpose and processing region, is published at /sub-processors.

Customers receive 30 days’ notice before any new sub-processor is added to that list.

Incident response

FlexiEle runs a defined incident-response process: detection → containment → eradication → recovery → post-mortem. Critical incidents trigger customer notification within 72 hours of confirmation, in line with UK / EU GDPR Article 33 requirements where applicable.

To report a vulnerability or suspected security issue, email security@flexiele.com — we acknowledge reports within one business day.

Talk to our security team

Enterprise customers and prospects can request our security questionnaire responses, pen-test summaries, sub-processor list and DPA. Contact:

  • Security & trust: security@flexiele.com
  • Data Protection Officer: dpo@flexiele.com

Last updated: 30 April 2026