1. Purpose and Scope
This document describes the technical and organisational measures implemented by Ibis Flow GmbH to protect personal data processed through our services. These measures are designed to ensure a level of security appropriate to the risk of processing, as required under Article 32 of the General Data Protection Regulation (GDPR).
Ibis Flow GmbH is an early-stage, founder-operated B2B software-as-a-service company based in Germany. Our service provides collaborative estimation tools for software development teams. The measures described in this document reflect our current operational model and will evolve as the organisation scales.
This document distinguishes between security controls we implement directly and those inherited from our cloud infrastructure provider. We believe transparency about our security posture builds trust with our customers.
2. Risk-Based Approach to Security
Our security measures are proportionate to the nature, scope, context, and purposes of our data processing activities. As a B2B service processing primarily business contact information and estimation session data, we focus on measures that address the specific risks associated with our processing operations.
We regularly assess our security measures against the evolving threat landscape and adjust our controls accordingly. Our approach prioritises practical, effective security measures over formal certifications at this stage of our organisational development.
We do not currently hold ISO 27001 or SOC 2 certifications at the organisational level. However, our cloud infrastructure provider, Microsoft Azure, maintains these certifications for its platform services, providing a strong foundation for our security controls.
3. Technical Measures
3.1. Cloud Infrastructure
All Ibis Flow services are hosted on Microsoft Azure in the West Europe region. Azure provides enterprise-grade physical security, network security, and platform security controls. Azure maintains ISO 27001 and SOC 2 Type II certifications for its infrastructure and platform services.
- Data Residency:All personal data is stored and processed within the European Union
- Encryption at Rest:Azure Storage Service Encryption with platform-managed keys
- Encryption in Transit:TLS encryption for all data transmissions
- Network Security:Azure-managed network isolation and firewall controls
3.2. Backups and Recovery
Data backup and recovery capabilities are provided at the Azure service level. Database and storage services benefit from Azure-managed backup mechanisms with defined recovery point and recovery time characteristics. Ibis Flow does not perform manual backup handling.
3.3. Monitoring and Alerting
Application monitoring is provided through Sentry, which provides real-time error tracking and alerting. Monitoring is event-driven, with alerts reviewed and addressed as they occur. We do not operate a staffed 24/7 monitoring operation at this stage.
4. Organisational Measures
4.1. Organisational Structure
Ibis Flow GmbH currently operates as a founder-led organisation with a single operator responsible for all technical operations. This model provides clear accountability and minimises the risk of unauthorised access through limited personnel.
- Production Access:Limited to the single operator
- External Access:No external staff, contractors, or support personnel have system access
- Access Reviews:Not formally conducted due to single-operator model
4.2. Data Protection Responsibilities
We do not currently have a formally appointed Data Protection Officer (DPO) or Chief Information Security Officer (CISO). Data protection and security responsibilities are handled directly by the organisation's management. As the organisation scales, we will evaluate the need for dedicated roles in these areas.
5. Identity and Access Management
5.1. User Authentication
User authentication is provided through Microsoft Entra External ID, enabling federated single sign-on (SSO) with customer identity providers. This approach delegates authentication to enterprise-grade identity infrastructure managed by the customer's organisation.
- Authentication Method:Federated SSO via customer identity provider
- Multi-Factor Authentication:Enforced by the customer's identity provider configuration
- Password Policies:Managed by the customer's identity provider
Ibis Flow does not centrally enforce MFA or specific password policies. These security controls are the responsibility of the customer's identity provider and organisational security policies.
6. Development and Change Management
6.1. Development Environment
Development is conducted in a single-developer environment. Code changes are tested functionally prior to production deployment, with testing practices appropriate to the scale and complexity of a single-developer operation.
- Version Control:All source code is maintained in version control systems
- Code Review:Peer code review is not conducted due to single-developer team size
- Dependency Scanning:Automated dependency scanning is not currently in place
6.2. AI Development Tools
AI tools such as GitHub Copilot and OpenAI services are used solely for code assistance during development. No production customer data is processed by these AI development tools. Any future AI capabilities offered within the product would be hosted on Azure services and governed under separate data processing arrangements.
7. Incident Handling and Continuity
7.1. Incident Response
Formal incident response procedures are documented and in preparation for publication. Security and data protection incidents are currently handled directly by the operator with appropriate urgency based on severity and impact.
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where required by GDPR, and affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
7.2. Business Continuity
Service continuity benefits from Azure's high-availability infrastructure and managed backup capabilities. The single-operator model does present inherent continuity considerations, which we acknowledge and address through documentation of critical processes.
8. Physical Security Considerations
Operations are conducted from a home office environment. Physical security of infrastructure is managed entirely by Microsoft Azure, which maintains comprehensive physical security controls at its data centres including access controls, surveillance, and environmental protections.
- Operating Environment:Home office with standard residential security
- Physical Access Controls:No dedicated physical access controls beyond residential security
- Device Security:Device-level authentication, encryption, and cloud-based controls
- Infrastructure Security:All production infrastructure is hosted in Azure data centres
9. Continuous Improvement
We are committed to continuously improving our security posture as the organisation grows. Our security measures will evolve to address new risks and incorporate practices appropriate to our scale and operational context.
As we scale, we may consider implementing additional controls such as formal incident response publication, automated security testing, or relevant security certifications. Any such improvements would be reflected in updates to this document.
We review our technical and organisational measures periodically and update this document to reflect material changes to our security practices.
10. Contact and Review
For questions about our technical and organisational measures, or to report security concerns, please contact us:
Ibis Flow GmbH
This document was last reviewed and updated on January 6, 2026. We review this document periodically and following any material changes to our security practices.