FlowAssure Privacy Statement

Version: 1.0 | Last Updated: 19/06/2026

1. Introduction

FlowAssure is a software product provided by FlowForma ("FlowForma", "we", "us", or "our"). FlowAssure is an AI-assisted vendor risk assessment and third-party risk management platform designed to support organisations in evaluating, managing, and monitoring supplier and vendor risk.

This Privacy Statement explains how we collect, use, store, and protect personal data when you use FlowAssure, our website, and related services.

We process personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Roles Under Data Protection Law

Depending on the context:

  • Our customers act as the data controllers for vendor, supplier, and third-party data they submit into FlowAssure
  • FlowForma (FlowAssure) acts as a data processor when processing such data on behalf of customers
  • FlowForma acts as a data controller for account management, billing, security, and website usage data

3. Information We Collect

3.1 Customer Account Data

  • Name
  • Email address
  • Job title
  • Organisation details
  • Login credentials (securely stored)

3.2 Vendor and Third-Party Data (Customer-Provided)

  • Vendor contact details
  • Supplier questionnaires and responses
  • Security, compliance, and risk documentation (e.g. SOC 2, ISO certificates, policies)
  • Assessment results and scoring outputs

3.3 Usage and System Data

  • Audit logs and system activity
  • Feature usage data
  • IP address and device information
  • Diagnostic and performance data

3.4 Communication Data

  • Support requests
  • Emails and correspondence with FlowForma

4. How We Use Your Information

We use personal data to:

  • Provide and operate the FlowAssure platform
  • Enable vendor risk assessments and third-party risk workflows
  • Generate AI-assisted summaries and insights
  • Maintain platform security, integrity, and audit logs
  • Provide customer support and service communications
  • Improve platform performance and reliability

We do not sell or rent personal data.

5. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contractual necessity – to deliver FlowAssure services
  • Legitimate interests – platform improvement, security, fraud prevention
  • Legal obligation – compliance with applicable laws
  • Consent – where required for optional features (e.g. marketing communications)

6. AI and Automated Processing

FlowAssure uses artificial intelligence technologies, including Microsoft Azure OpenAI Service, to support vendor risk analysis and document processing.

AI functionality may be used to summarise vendor documentation, extract key risk indicators, assist in classification and scoring, and support risk reporting workflows.

Important limitations:

  • AI outputs are probabilistic and may contain inaccuracies or omissions
  • AI does not provide legal, regulatory, or compliance certification
  • All AI outputs must be reviewed by a human before decision-making

Data usage in AI systems: Customer data processed through Azure OpenAI is not used to train foundation models, is processed within Microsoft Azure's secure enterprise environment, and is subject to regional (EU-based) hosting where applicable.

7. Data Hosting and Transfers

FlowAssure primarily stores and processes data within the European Union (EU).

Where data is processed by third-party infrastructure providers (such as Microsoft Azure), processing occurs under appropriate data protection agreements and safeguards, including Standard Contractual Clauses where required.

8. Information Security

FlowForma maintains an Information Security Management System certified to ISO/IEC 27001.

This certification supports the design, development, and operation of FlowForma's SaaS products and reflects the implementation of structured security controls, risk management processes, and continuous improvement practices. FlowAssure benefits from and operates within this security governance framework.

Security measures include:

  • Encryption in transit (TLS) and at rest
  • Role-based access controls
  • Multi-factor authentication (where enabled)
  • Logging and monitoring of system activity
  • Secure software development lifecycle practices

9. Data Sharing and Disclosure

We do not sell personal data. We may share data only in the following circumstances:

  • With sub-processors (e.g. Microsoft Azure) required to deliver the service
  • With the customer's authorised users or administrators
  • Where required by law, regulation, or legal process
  • To protect rights, security, or prevent fraud

All sub-processors are subject to appropriate contractual data protection obligations.

10. Data Retention

We retain personal data only for as long as necessary to provide FlowAssure services, comply with legal, regulatory, or contractual obligations, and support audit and security requirements.

Customer data may be deleted or anonymised upon request or following termination, subject to retention obligations.

11. Data Subject Rights

Individuals may have the following rights under GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

To submit a request:  info@flowforma.com 

We will coordinate with the relevant customer (data controller) where applicable.

12. Cookies and Tracking

FlowAssure uses cookies and similar technologies to enable platform functionality, maintain secure sessions, analyse usage and performance, and improve user experience. Where required, consent is obtained in accordance with applicable law.

13. Third-Party Services

FlowAssure integrates with or relies on third-party service providers, including Microsoft Azure. These providers may process data strictly as necessary to deliver services and are bound by contractual and legal data protection obligations.

14. Changes to This Privacy Statement

We may update this Privacy Statement periodically to reflect changes in legal, technical, or operational requirements. The latest version will always be available within the FlowAssure platform or upon request.