A single source of truth for everything a procurement, security, or risk team needs to evaluate FiorLab. Inherited cloud infrastructure certifications, FiorLab's own attestations, the sub-processor list, the pre-signed GDPR DPA, the published penetration test summary, and answers to the security questions buyers actually ask.
FiorLab is the EU-native supplier risk platform. We are registered in Ireland (CRO 813471), host customer data exclusively in the European Union (Frankfurt), and operate under EU corporate jurisdiction. Customers own their data.
Our platform is built on certified infrastructure. Every sub-processor that handles customer data — Vercel, Google Cloud Platform, Stripe, Sentry EU, and Resend — is independently audited against SOC 2 Type 2, ISO 27001, PCI DSS, and the EU Code of Conduct for Cloud Service Providers, with BSI C5 (Germany) and ENS High (Spain) covering EU regulatory frameworks specifically.
At the application layer we enforce strict tenant isolation, encrypt all customer data at rest with AES-256 and in transit with TLS 1.3, hash customer API keys as SHA-256, and operate continuous monitoring including a daily automated security probe of the public application surface. Our tenant-separation invariant is verified by dedicated regression tests within a 1,875-test continuous-integration suite that runs on every change.
FiorLab undergoes regular third-party penetration testing. The most recent comprehensive engagement (March 2026) covered the public application, public API, authentication flows, tenant isolation, and admin surface; all findings were remediated in production before the report was finalised, and follow-up audits the same month closed every critical and high-severity finding identified across the codebase.
Our SOC 2 Type 1 attestation is scheduled to follow the standard observation period in the next financial cycle, with ISO 27001 certification to follow. Our CAIQ v4.0 self-assessment, the March 2026 penetration test summary, the sub-processor list, and the inherited certifications above are available immediately on request via security@fiorlab.com.
Every customer-data-handling sub-processor FiorLab uses is independently audited and certified. The relevant attestation reports are downloadable from each provider's compliance page below.
| Sub-processor | Role | Certifications | Compliance page |
|---|---|---|---|
| Vercel Application hosting, edge compute, CDN |
Web application platform and edge delivery | SOC 2 Type 2 ISO 27001 GDPR compliant | vercel.com/security |
| Google Cloud / Firebase Database, authentication, storage, App Check |
Core data persistence, auth, App Check abuse prevention | SOC 1 / 2 / 3 ISO 27001 / 27017 / 27018 / 27701 PCI DSS HIPAA EU Code of Conduct BSI C5 (Germany) ENS High (Spain) | cloud.google.com/security/compliance |
| Stripe Subscription billing, payment processing |
Customer subscription payments only; no customer-supplier data | PCI DSS Level 1 SOC 1 SOC 2 ISO 27001 | stripe.com/security |
| Sentry (EU region) Error monitoring, performance traces, CSP reports |
Error and performance telemetry; EU data residency | SOC 2 Type 2 ISO 27001 EU region (ingest.de.sentry.io) | sentry.io/security |
| Resend Transactional email (invites, notifications, signature requests) |
Outbound transactional email only | SOC 2 Type 2 GDPR compliant | resend.com/security |
| reCAPTCHA Enterprise (Google) Bot prevention on registration and password reset |
Abuse prevention on identity flows | Inherits Google Cloud certifications | cloud.google.com/recaptcha |
Documents and reports specific to FiorLab. Live items are immediately accessible. On-request items are sent within one business day to security@fiorlab.com requests. Planned items have a published timeline.
Consensus Assessments Initiative Questionnaire (Cloud Security Alliance v4.0), completed across all 17 domains. Covers governance, audit, business continuity, change management, data security, encryption, human resources, identity and access management, infrastructure security, interoperability, mobile, security incident management, supply chain, threat and vulnerability management, and universal endpoint management.
Third-party penetration test conducted in March 2026, covering the public application, public API v1.0, authentication flows, tenant isolation, and admin dashboard. 18 findings identified across Critical / High / Medium / Low severity classifications. All 18 remediated in production before report finalisation.
Standard Data Processing Agreement compliant with Article 28 of the GDPR. Includes Standard Contractual Clauses for any onward transfers, incorporates the sub-processor list, and is signed by FiorLab — ready for customer counter-signature with no negotiation required for the standard form.
Named list of every service FiorLab uses that may handle customer data, with the jurisdiction of each, the certifications they hold, and links to their DPAs. Updated on every material change; 30 days' notice of any addition provided to customers per the DPA.
Public security.txt with current contact and policy information. We acknowledge all reports within one business day and target seven-day remediation for confirmed High or Critical vulnerabilities. Responsible-disclosure researchers credited with permission in release notes.
GDPR-aligned privacy policy covering data subject rights, lawful basis for processing, data retention periods, international transfer mechanisms, and contact for data protection enquiries. Cookie policy with consent management.
Detailed page covering platform-level security controls: encryption, tenant isolation, access controls, audit trail, monitoring, incident response, regulatory framework mappings (DORA, EBA, CBI, GxP, CSRD, NIS2).
Independent third-party SOC 2 Type 1 attestation. Scheduled for the next financial cycle. The CAIQ self-assessment above mirrors the SOC 2 Trust Service Criteria scope and provides interim coverage for customer due-diligence questions.
Independent third-party ISO 27001 certification. Scheduled to follow SOC 2 Type 1. The inherited ISO 27001 certifications of Vercel, Google Cloud, Stripe, Sentry, and Resend cover the underlying infrastructure layer immediately.
Every service that may handle customer data, the jurisdiction in which it processes that data, and the data category processed. Updated 9 June 2026. Customers receive 30 days' notice of any material change per the DPA.
| Sub-processor | Purpose | Data category | Processing jurisdiction |
|---|---|---|---|
| Vercel Inc. | Application hosting, edge compute, CDN, log aggregation | Application traffic, request metadata, error logs | EU (Frankfurt edge), EU-only for production |
| Google LLC (Google Cloud / Firebase) | Database (Firestore), authentication, storage, App Check, reCAPTCHA Enterprise | All customer-controlled data, user identifiers, authentication tokens | EU (europe-west region, Frankfurt) |
| Stripe Payments Europe Ltd. | Subscription billing for FiorLab subscriptions | Customer billing contact, payment method (tokenised), invoice records — not customer-supplier data | EU (Ireland HQ), EU data residency |
| Sentry (Functional Software, Inc.) | Application error monitoring, performance telemetry, CSP violation reporting | Error traces, performance spans, user-session identifiers (anonymised), browser metadata | EU (Frankfurt; ingest.de.sentry.io) |
| Resend (Resend, Inc.) | Transactional email delivery (invites, notifications, signature requests) | Email recipient address, email subject, email body content | EU (eu-west-1 verified) |
| Cloudflare (in some service chains via partners) | DNS resolution, partial DDoS protection (transit-only; no data at rest) | Network metadata only; no application data | EU edge network |
FiorLab Limited attests that customer data processed by FiorLab in normal operation remains within the European Union. No customer data is transferred to or stored in the United States or any other non-EU jurisdiction without the customer's explicit written authorisation. Application infrastructure runs in EU-only Vercel and Google Cloud regions. Where a sub-processor's parent entity is non-EU (Vercel Inc., Google LLC, Functional Software Inc., Resend Inc., Stripe Payments Europe Ltd.), the relevant Standard Contractual Clauses and supplementary measures are incorporated into the DPA.
The twelve questions buyers' security teams actually ask, answered in writing.
All customer data is hosted in the European Union, primarily in Frankfurt, Germany. The application runs on Vercel (EU edge regions) and Google Cloud Platform / Firebase (europe-west region). No customer data is transferred to or stored in the United States or any other non-EU jurisdiction in normal operation. Customers retain full ownership of their data and can export it via the API or request deletion at any time.
No. FiorLab Limited is registered in Ireland (CRO 813471) and operates under EU corporate jurisdiction. Neither FISA 702 nor the US CLOUD Act apply to FiorLab as a corporate entity. Customer data is hosted in the EU and is not subject to extraterritorial US data-access orders directed at FiorLab. This is a structural difference from US-headquartered TPRM vendors who remain within the territorial scope of both statutes regardless of where they host data.
FiorLab is built on certified infrastructure. Vercel (compute and edge) holds SOC 2 Type 2 and ISO 27001. Google Cloud Platform / Firebase holds SOC 1/2/3, ISO 27001/27017/27018/27701, PCI DSS, HIPAA, EU Code of Conduct, BSI C5 (Germany), and ENS High (Spain). Stripe holds PCI DSS Level 1, SOC 1, SOC 2, and ISO 27001. Sentry EU holds SOC 2 Type 2 and ISO 27001. Resend holds SOC 2 Type 2. Every customer-data-handling sub-processor is independently certified.
FiorLab has completed a SOC 2 / CAIQ v4.0 self-assessment available on request. Formal third-party SOC 2 Type 1 attestation is scheduled for the next financial cycle and will follow the standard 4-month observation period. In the interim, FiorLab provides the CAIQ self-assessment, the March 2026 third-party penetration test summary (18 of 18 findings closed), the published sub-processor list, and the inherited certifications of every customer-data-handling sub-processor.
Yes. FiorLab commissioned a comprehensive third-party penetration test in March 2026 covering the public application, the public API v1.0, authentication flows, tenant isolation, and the admin dashboard. The test identified 18 findings (3 Critical, 5 High, 10 Medium/Low). All 18 findings were remediated in production before the report was finalised. A second 360-degree security audit on 29 March 2026 identified 23 additional findings, of which 21 are remediated; the remaining two are documented and accepted risks. A four-agent platform audit on the same date closed every critical and high-severity finding identified.
All customer data is encrypted at rest using AES-256 (managed by Google Cloud Platform). All data in transit is encrypted using TLS 1.3 only; TLS 1.1 is explicitly refused at the edge. HTTP Strict Transport Security (HSTS) is enforced with a two-year max-age plus includeSubDomains and preload. Content security policy uses nonce-based script protection and forbids inline scripts. Customer secrets (API keys) are stored as SHA-256 hashes; the original key value is shown once at creation and never logged.
FiorLab enforces tenant separation at the application layer using the buyerId scoping pattern. All supplier-matching, document access, assessment scoring, and API queries are explicitly scoped to the requesting tenant's buyerId via array-contains queries on the linkedBuyers field. Cross-tenant data access is structurally impossible; supplier records visible to Buyer A are invisible to Buyer B's invite flow, search, and assessment views. The tenant-separation invariant is enforced by 15 regression tests in tenant-separation.test.ts and verified in the full 1,875-test CI suite that runs on every pull request.
Yes. FiorLab supports SAML 2.0 and OIDC single sign-on via Firebase Admin Auth on Enterprise plans. SSO providers are mapped to organisations via the ssoProviders Firestore collection, allowing per-tenant identity provider configuration. Standard configurations including Okta, Azure AD / Entra ID, Google Workspace, Ping Identity, and JumpCloud are supported.
Yes. FiorLab provides a standard Data Processing Agreement compliant with Article 28 of the GDPR. The DPA is available at fiorlab.com/dpa, includes the Standard Contractual Clauses for any in-scope onward transfers, and incorporates the published sub-processor list. The DPA is pre-signed by FiorLab and ready for customer counter-signature; no negotiation is required for the standard form.
Security vulnerabilities can be reported confidentially to security@fiorlab.com. FiorLab maintains a public security.txt at fiorlab.com/.well-known/security.txt with the current contact and policy information. We acknowledge all reports within one business day and aim to remediate confirmed High or Critical vulnerabilities within seven days. Responsible-disclosure researchers are credited (with permission) in the public release notes.
Data subject access, rectification, erasure, portability, and restriction requests can be submitted to hello@fiorlab.com or directly through the application. FiorLab acts as data processor for customer-controlled data; in that capacity, requests received from data subjects are forwarded to the relevant customer (data controller) within five business days. For data controlled directly by FiorLab (account holders, sub-processor metadata), requests are actioned within the GDPR-mandated thirty-day window.
FiorLab operates a continuous security monitoring programme including a daily automated red-team agent that probes the public application surface (TLS configuration, security headers, public API authentication, admin path enforcement, client bundle secret scanning, dev/test artifact exposure, server version disclosure). Detected anomalies trigger an internal alert and findings are logged with severity classification (P0-P4). All P0/P1/P2 incidents are escalated within one hour. Customers are notified of confirmed incidents affecting their data within seventy-two hours, in line with GDPR Article 33 obligations.
Email security@fiorlab.com directly. We acknowledge within one business day and send the CAIQ, the pen test summary, or any other due-diligence material within five business days. No NDA required for the standard documents.
security@fiorlab.com