Security & Privacy

Your member data and banking details are sensitive. Here's how Florivio keeps them safe.

Privacy and security prepared

Application data is processed in German cloud infrastructure; AI features use contractually bound EU regions. For privacy review, we provide a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR.

Why this matters: In 2022, 38 unsecured fire department servers with exposed personal data were found on the open internet (AG KRITIS). Florivio stores all data encrypted in German data centers — with TLS 1.3, AES-256-GCM for banking data, and role-based access control.

TLS 1.3 Encryption

All connections between browser and server are encrypted with TLS 1.3 (HTTPS). Data is never transmitted in plain text.

Multi-Tenant Isolation

Each fire department gets a fully isolated environment. No data from one department is visible or accessible to another.

RBAC — Role-Based Access

Commander, treasurer, equipment manager — each user only sees what they're authorized to access. Banking data is exclusively visible to treasurers and admins.

Automatic Backups

Regular, automatic backups protect your data against loss. All backups are stored encrypted.

Complete Audit Trail

Who changed what and when? All security-relevant actions are logged — especially important for SEPA transactions and inspection reports.

Tamper-Proof Records

Inspection reports and SEPA batches use append-only storage with SHA-256 hash chains. Once finalized, documents cannot be altered.

IBAN Encryption

Banking data is encrypted at rest using AES-256-GCM. Access is restricted to authorized treasurers — never visible in plain text.

Technical & Organizational Measures (TOMs)

Physical Access Control

Server infrastructure hosted in secured data centers in Germany and the EU with physical access controls.

System Access Control

Password hashing, secure session management, automatic session timeouts. No plain-text password storage.

Data Access Control

RBAC (Role-Based Access Control): Each user only has access to the data they are authorized for. Banking data is restricted to treasurers and admins.

Data Transfer Control

All data transfers are encrypted (TLS/HTTPS). No data is shared with third parties without a legal basis.

Input Control

Complete audit trail: Who changed what data and when? All modifications are traceable and logged.

Availability Control

Regular automatic backups, monitoring, and failover protection. Data loss is prevented through multiple backup copies.

Separation Control

Multi-tenant architecture: Data from different fire departments is fully separated at the database level.

Integrity Control

Append-only data structures with cryptographic hash chains (SHA-256). Inspection reports, SEPA batches, and audit entries cannot be modified after finalization.

Tamper-Proof Records in Detail

For inspection reports and SEPA direct debit batches, Florivio employs a multi-layered security concept — ensuring finalized documents remain trustworthy and verifiable.

Equipment Inspection Reports

  • Inspection workflow: Draft → Sign-off → Finalization
  • Four-eyes principle: Inspector signs off, second person confirms
  • After finalization: append-only, no modifications possible
  • SHA-256 hash chain across all inspections
  • PDF inspection report with cryptographic checksum

SEPA Direct Debit Batches

  • Tamper-proof batches: once generated, not editable
  • SHA-256 checksum over total amount, count, and content
  • IBAN encryption with AES-256-GCM
  • Forward-only status: Created → Exported → Submitted → Executed
  • Mandate change history (append-only logging)

Audit Trail

  • Who changed what and when — logged without gaps
  • Stored immutably as part of the hash chain
  • Actions: Create, Edit, Sign-off, Finalize
  • Integrity verification available at the push of a button

GDPR & Data Processing

As the operator of Florivio, we process personal data of your members on your behalf. Application data in German cloud infrastructure, AI processing in EU regions, TLS for all connections and encryption for sensitive data such as banking details. For privacy review, we provide a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR.

You can request the DPA from us. Contact: [email protected]

Request DPA or ask security questions

See for yourself

Sign up in 2 minutes and see how Florivio protects your data — 90 days free, no credit card required.

Try free for 90 days