Compliance · myflow Trust Center

Framework	Status	Notes
SOC 2 (Type I, then Type II)	Preparing	We operate against the SOC 2 Trust Services Criteria (security, availability, confidentiality). Audit engagement planned.
ISO/IEC 27001	Preparing	Information Security Management System being formalised against the ISO 27001 controls. Targeting certification once the system has run for the required observation window.
GDPR	In effect	We are an EU company processing data on EU infrastructure. GDPR is the baseline we operate against, not an aspiration. Standard DPA available.
PCI DSS	Not directly applicable	Card data is handled by our payment processor (Stripe), which is PCI DSS Level 1 certified. myflow does not store or transmit raw card numbers.
HIPAA	Not in scope	myflow is not designed to process protected health information and we do not sign BAAs. If you have a healthcare use case, talk to us before storing PHI in myflow.

Framework

Status

Notes

SOC 2 (Type I, then Type II)

Preparing

We operate against the SOC 2 Trust Services Criteria (security, availability, confidentiality). Audit engagement planned.

ISO/IEC 27001

Preparing

Information Security Management System being formalised against the ISO 27001 controls. Targeting certification once the system has run for the required observation window.

GDPR

In effect

We are an EU company processing data on EU infrastructure. GDPR is the baseline we operate against, not an aspiration. Standard DPA available.

PCI DSS

Not directly applicable

Card data is handled by our payment processor (Stripe), which is PCI DSS Level 1 certified. myflow does not store or transmit raw card numbers.

HIPAA

Not in scope

myflow is not designed to process protected health information and we do not sign BAAs. If you have a healthcare use case, talk to us before storing PHI in myflow.

Why no certificates yet

Security certifications take time and they cost money — but more importantly, they take a running history. SOC 2 Type II requires an auditor to observe your controls operating consistently over a defined window (typically 3–12 months). We've been putting the controls in place, documenting them, and running them long enough to be auditable. Engaging an auditor before the controls are stable is theatre; we'd rather do it once, properly.

What we already do

Independent of certification, we already operate against the controls that those frameworks require. The other pages on this site spell out the specifics:

Security — hosting, encryption, access control, vulnerability management, incident response.
Privacy — EU data residency, GDPR posture, DPA.
Resilience — backups, recovery objectives, business continuity.
AI safety — provider list, training stance, logging, controls.
Sub-processors — every third party that touches customer data.

If you need a certificate today

We'll tell you honestly that we don't have one. If your procurement process strictly requires SOC 2 or ISO 27001 today, we are probably not the right vendor for you right now — and we'd rather you know that upfront than discover it after signing.

For most customers, the practical question is whether myflow handles data responsibly. The detail on this site, the DPA, security questionnaire responses, and a call with our team are usually enough to answer that.

Roadmap

We will update this page as our certification status changes. Subscribe to changes by emailing oliver@myflow.se; we will notify you when we engage an auditor, when we receive a report, and when that report is available to share.

Where we stand on certifications, in plain English.

Why no certificates yet

What we already do

If you need a certificate today

Roadmap