Security
Effective: 8 June 2025
Your journal entries are deeply personal. We understand the trust you place in us when you use Floreo to record your thoughts, feelings, and experiences. That's why security isn't just a feature - it's fundamental to everything we do.
🔒Our Security Commitment
- ✓No passwords stored—login via Google, Apple, or secure one-time codes
- ✓Your journal entries are encrypted at rest and in transit
- ✓We never read or analyze your personal journal content
- ✓You can permanently delete your data at any time
- ✓Additional protection with Face ID/Touch ID or PIN code
1. Data Encryption
In Transit
All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest industry standard. This means your journal entries are protected from interception while traveling across the internet.
At Rest
Your journal entries are encrypted using AES-256 encryption when stored in our databases. This military-grade encryption ensures that even if someone gained unauthorized access to our storage systems, your data would remain unreadable.
Backup Encryption
All backups are encrypted using the same standards as our primary storage, with encryption keys stored separately from the data itself.
2. Authentication & Access Control
🔐No Passwords Stored
Floreo uses modern authentication methods that eliminate traditional password vulnerabilities:
- ✓Single Sign-On (SSO): Sign in securely with Google or Apple, leveraging their advanced security infrastructure
- ✓One-Time Passwords: Email login uses time-limited codes sent to your verified email address—no passwords to remember or steal
Additional Security Layers: Once logged in, you can add extra protection to your journal:
👤Face ID / Touch ID
Use your device's biometric authentication for quick, secure access
🔢PIN Code
Set a personal PIN code as an additional layer of protection
Session Management: Sessions expire automatically after periods of inactivity, requiring re-authentication to protect your journal from unauthorized access.
Device Security: We leverage your device's secure storage APIs to protect authentication tokens and ensure your journal remains private even if your device is compromised.
3. Infrastructure Security
Hosting Provider: We use enterprise-grade cloud infrastructure providers that maintain SOC 2, ISO 27001, and other industry certifications.
Data Centers: Your data is stored in secure data centers with 24/7 monitoring, biometric access controls, and redundant power and cooling systems.
Network Security: We employ firewalls, intrusion detection systems, and DDoS protection to safeguard our infrastructure.
Regular Updates: Our systems are regularly updated with the latest security patches and undergo continuous monitoring for vulnerabilities.
4. Data Retention & Deletion
Your Data, Your Control
- Active Account Data: Your journal entries are retained as long as your account is active. You can delete individual entries or all data at any time.
- Account Deletion: When you delete your account, all your personal data and journal entries are permanently removed from our active systems within 24 hours.
- Backup Retention: Deleted data may remain in encrypted backups for up to 30 days for disaster recovery purposes, after which it's permanently erased.
- Export Options: You can export all your journal entries in common formats before deletion, ensuring you always have access to your personal history.
5. Employee Access Policies
Zero Access Architecture: Our systems are designed so that employees cannot access your journal content. Technical and organizational measures prevent unauthorized access.
Principle of Least Privilege: Employees only have access to systems necessary for their specific roles, with all access logged and regularly audited.
Background Checks: All employees with potential access to infrastructure undergo background checks and sign strict confidentiality agreements.
Security Training: Regular security awareness training ensures our team understands and follows best practices for data protection.
6. Third-Party Security
We carefully vet all third-party services for security practices and only work with providers that meet our standards:
- All third parties sign data processing agreements with security obligations
- We regularly review third-party security certifications and practices
- Third parties cannot access your journal content
- We minimize data sharing to only what's necessary for service operation
7. Incident Response
Despite our best efforts, no system is 100% secure. We have a comprehensive incident response plan:
If a security incident occurs:
- We immediately investigate and contain the issue
- We assess the impact and determine affected users
- We notify affected users within 72 hours with clear information about the incident
- We provide guidance on any recommended actions
- We conduct a thorough post-incident review to prevent recurrence
8. Compliance & Audits
We maintain compliance with data protection regulations and undergo regular security assessments:
- GDPR compliant for European users
- CCPA compliant for California residents
- Annual third-party security audits
- Continuous automated vulnerability scanning
- Regular penetration testing
🛡️ Responsible Disclosure
We welcome security researchers to help us maintain the highest security standards. If you discover a potential vulnerability:
- • Email us at security@floreo.app
- • Include detailed steps to reproduce the issue
- • Allow us reasonable time to address the issue before public disclosure
- • We'll acknowledge your contribution (with your permission)
9. Security Questions?
If you have any questions about our security practices or need to report a security concern:
Security Team
Email: security@floreo.app
For urgent security matters, please include "URGENT" in your subject line
The Netherlands.