At Flowxtra, we understand the importance of protecting sensitive personal and business information. As an AI-powered recruitment platform, we are committed to maintaining a secure and privacy-compliant environment for all users — from candidates and recruiters to enterprise clients. This page outlines the security measures and privacy standards we uphold across our systems, processes, and people.

Data Center Security & Server Locations

Flowxtra’s infrastructure is hosted across highly secure and redundant data centers located in:

• Germany (primary EU region)
• United States
• Singapore (Asia-Pacific backup)

Our hosting partners ensure compliance with global physical and digital security standards, including power redundancy, DDoS protection, and incident recovery plans. All infrastructure is managed in accordance with applicable data protection regulations.

Protection from Data Loss & Corruption

We apply multiple technical safeguards to prevent unauthorized data access, loss, or corruption:

• Logical segregation of user data across isolated environments
• Daily backups stored in encrypted formats and geographically distributed locations
• Continuous network monitoring with threat detection systems
• Integrity checks and real-time anomaly detection
• Fully documented recovery procedures and disaster mitigation protocols

Application-Level Security

Our platform is designed with security in mind at every layer. Flowxtra uses TLS 1.3 or higher to encrypt all data in transit. Additional controls include:

• Passwords stored using strong, one-way cryptographic hashing
• Brute-force protection on all authentication endpoints
• Role-based access control for different user types (candidates, companies, administrators)
• Optional two-factor authentication (2FA) for recruiter and company accounts
• Session expiration, device tracking, and location-based login monitoring
• Notifications for critical account changes and login activity

External security firms perform regular penetration testing and vulnerability assessments to validate and strengthen our security posture.

Internal IT Security

Flowxtra enforces a comprehensive internal security framework to protect system access and ensure accountability. Access to core systems and production infrastructure is tightly restricted and reviewed regularly.

Access to critical environments requires multi-factor authentication, including biometric fingerprint verification for authorized employees. This biometric layer adds an advanced level of protection against credential compromise.

Other internal safeguards include:

• Segregated environments for development, staging, and production
• Real-time monitoring of administrative actions and access logs
• Encrypted internal communications and secured VPN access
• Regular reviews of privileged access rights and system logs
• Security incident response procedures and escalation protocols

We continuously review our internal controls in line with evolving security risks and best practices.

Employee Security & Training

Only authorized employees have access to user data — and only to the extent required for their job. Each individual must:

• Pass background checks before employment (criminal and financial)
• Sign binding confidentiality and data protection agreements
• Undergo mandatory annual training covering secure development, data protection laws (including GDPR and CCPA), and phishing prevention

Our policies ensure a privacy-first culture across engineering, support, and business teams.

Compliance & Certifications

Flowxtra and our integrated vendors operate in accordance with key regulatory frameworks and international certifications. This includes:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• PCI DSS (applies to payment processing via Stripe)
• ISO/IEC 27001 (via selected vendors)
• SOC 2 compliance for data integrity and service availability

International data transfers are governed by Standard Contractual Clauses (SCCs) or recognized adequacy decisions. Flowxtra maintains a binding Data Processing Agreement (DPA) with all subprocessors.

AI-Powered Matching with Human Oversight

Flowxtra leverages artificial intelligence to enhance job-candidate matching. However, we do not use AI to make final hiring decisions.

• All algorithmic suggestions are reviewed by human recruiters
• No fully automated decision-making takes place regarding employment outcomes
• Candidates can opt out of AI-based recommendations in their account settings

We ensure fairness, transparency, and human accountability in all our AI-driven processes.

Billing & Invoicing

Flowxtra uses Stripe to handle all company subscription payments and SevDesk to issue automated invoices.

• Payment data is never stored on Flowxtra servers
• Transactions are encrypted and handled in compliance with PCI DSS
• Job seekers are never charged or invoiced
• Companies receive PDF invoices for each billing period

For more details, see:
Stripe Privacy Policy: https://stripe.com/privacy
SevDesk Privacy Policy: https://sevdesk.at/datenschutz

Data Retention & Deletion

We follow structured data lifecycle policies to ensure compliance and user control:

• User data is retained for up to 3 years after last activity unless otherwise required or requested
• Encrypted backups are stored securely and retained for up to 30 days
• Automated data deletion policies apply to inactive or closed accounts
• Newsletter and analytics tracking data is retained for a maximum of 12 months
• You may delete or export your data at any time via: https://flowxtra.com/data-request

Responsible Disclosure Program

Security researchers and ethical hackers are encouraged to report any discovered vulnerabilities through our responsible disclosure process.

To qualify for protection under this program:

• Submit findings confidentially via security@flowxtra.com
• Do not engage in any activity that could disrupt our services or compromise user data
• Include reproduction steps or a proof-of-concept
• Wait for confirmation before any public disclosure

We commit to acknowledging reports within three business days.

Your Privacy Rights

You have full control over your personal data and privacy settings. Depending on your location, you may:

• Access and correct your personal information
• Request deletion of your account and associated data
• Restrict or object to specific types of processing
• Withdraw consent for non-essential features (e.g., marketing)
• Opt out of AI-based job matching
• Disable tracking cookies or adjust your preferences at any time
  
  

For all privacy-related requests, visit:

https://flowxtra.com/privacy-policy Or email us at: privacy@flowxtra.com