Data protection is very important to us. Below you will find answers to the most frequently asked questions in this regard.
💬 If you have any further questions about data protection, please contact us in the chat or at [email protected].
Is Heyflow GDPR-compliant?
Yes, Heyflow is fully GDPR-compliant (General Data Protection Regulation). All data is hosted and processed exclusively in Europe. We trust Google Cloud Platform, one of the most secure cloud computing environments in the world. Find more information here.
Is Heyflow HIPAA-compliant?
Yes, Heyflow supports HIPAA compliance (Health Insurance Portability and Accountability Act) for customers who process or store PHI using our platform. We provide the necessary security controls and safeguards aligned with HIPAA standards.
Heyflow offers to sign a Business Associate Agreement (BAA) when applicable, as required under HIPAA.
Is Heyflow SOC2 certified?
Yes, Heyflow is certified under SOC 2 Type II. This means that our processes and policies were not only designed in accordance with the SOC 2 standard but were also evaluated and tested continuously over a period of more than six months. For additional context on our SOC 2 Type II certification, please visit the Heyflow Trust Center.
Is my data safe, and where is it stored?
Your data is safe at all times. We secure all connections with a 256-bit encryption. Your data is stored on highly secure servers within the EU.
Where can I find a data processing agreement (DPA)?
A Data Processing Agreement (DPA) governs the relationship between Heyflow GmbH as the data processor and you as the data controller. It ensures that personal data collected through your flows is handled in full compliance with the General Data Protection Regulation (GDPR).
How do I sign a DPA?
You don't need to sign a separate DPA with Heyflow. By agreeing to Heyflow's Terms & Conditions, Section 13.3 automatically establishes the data processing agreement between Heyflow (processor) and you (controller). This applies to all Heyflow customers.
❗️Data processing terms are automatically included.
Our Data Processing Addendum (Annex 1) details the technical and organizational measures (TOMs) we implement to ensure GDPR-compliant storage and processing of personal data.
Need a dedicated or customized DPA?
If your organization requires a dedicated or individually negotiated DPA (AVV), we are happy to consider this. Please note that a custom or modified DPA is only available as part of a Heyflow Custom or Enterprise agreement. Reach out to our team to discuss further.
Who is Heyflow's Data Protection Officer (DPO)?
Heyflow has outsourced data protection responsibilities to Proliance GmbH. As a specialized service provider, Proliance GmbH ensures that our company remains consistently up-to-date with the latest data protection laws and regulations.
Who are Heyflow's subprocessors?
Heyflow engages a number of trusted subprocessors to help provide our services. These subprocessors may process data on our behalf. You can find a list of our current subprocessors in our Trust Center.
Does Heyflow have other security certificates?
Yes, since 2022 Heyflow's information management system and processes are certified in accordance with ISO 27001 and are audited independently on an ongoing basis. If you have any questions about the Statement of Applicability and the implemented controls, we will be happy to provide further details.
Where can I find more information?
Take a look at our Trust Center, here you can find detailed information about our infrastructure security, organizational security, product security, internal security procedures and data and privacy. Additionally, you get an overview of our compliance, certificates and additional resources.




