Flo Health’s approach to app security and compliance 

Flo Health’s approach to app security and compliance 

As women increasingly turn to health apps for personalised care, data security has become crucial. Leading the way, apps like Flo Health prioritise user privacy and secure data management, setting new standards by teaming up with data security company, Vanta. With advanced compliance measures, these apps aim to protect sensitive health information, ensuring trust and safe access to care. 

Building a better future for female health 

Flo is the most popular women’s health app globally; it’s the #1 OB-GYN-recommended app for period and cycle tracking based on a survey among US OB-GYNs. 

With over 100+ medical experts, Flo supports women during their entire reproductive lives and provides curated cycle and ovulation tracking, personalised health insights, expert tips and a fully closed community for women to share their questions and concerns. 

Founded in 2015, Flo Health acquired one million users in a little more than a year of being in operation. Now, Flo Health serves 260 million users, and 12% of the US women <45 use Flo. A key component to Flo Health’s success is a constant dedication to customer-centric decisions. From product design to user experience and security protocols, every decision made at the company is guided by customer satisfaction.  

“We take regular feedback from our end users,” said former Chief Information Security Officer, Leo Cunningham. “We genuinely care about what we do as a company—we love our values.” In addition to offering a highly personalised product, Flo Health remains dedicated to customer satisfaction by protecting sensitive health data through security and compliance.  

The challenge 

Turn something good into something excellent 

After experiencing a considerable stage of hyper-growth, Flo Health recognised an opportunity to create an exceptionally strong security programme to protect user data. Flo Health’s board of directors “wanted to create the most secure health and well-being app on the planet,” Cunningham said.  
 
To achieve such a high benchmark for security success, Flo Health pinpointed a need to take an already good security programme and make it as strong as possible. “I joined Flo Health with the goal of creating a world-class security function. We want to build the most secure app possible,” Cunningham said. “We invest in security, we invest in privacy, and we are 100% serious when we talk about being world-class.” 
 
In order to bring its security and compliance programme to the next level, Flo Health sought one of the most thorough international compliance certifications available—ISO 27001. Originally, Flo Health chose a traditional compliance partner to get ISO certified. “They were a bit old-fashioned for a company like Flo Health,” Cunningham said. Flo Health decided to seek another compliance partner—one that ticked all the boxes, and then some.  

The solution 

Powerful compliance automation made simple 

Flo Health knew exactly what they needed in a compliance solution. “We looked at various audit companies, ISO solutions and software implementations. We needed something that was sleek, easy to install and easy to manage,” Cunningham said. Flo Health ultimately decided to partner with Vanta after conducting an in-depth comparison of other solutions.  

Because Flo Health is in a constant state of hyper-growth, Cunningham and his teams need a compliance solution that continuously monitors infrastructure, seamlessly collects evidence, and integrates into day-to-day tools like Slack and JIRA. Most of all, Flo Health requires a solution that’s reliable and plain easy.  

“Security doesn’t need to be complex,” Cunningham said. “It needs to scale the business, be a business enabler and it needs to be there at the very beginning. Without it, it’s only a matter of time before there’s a serious issue.”  

The impact 

A #1 app with best-in-class security standards  

Thanks to Vanta’s automated evidence collection, Flo Health enjoyed an expedited auditing experience on the road to achieving ISO 27001 certification. Cunningham and his team were able to complete Stage 1 of the ISO audit in one week, and Stage 2 in three days. 

Flo Health received compliments from its auditor for having strong policies and controls in place. “Our auditors had never heard of Vanta before—they were really impressed by the ease of use and aesthetics of the platform. It ticked a lot of boxes.” 

Vanta’s platform gives Flo Health’s various security and compliance teams a collective viewpoint of all ISO 27001 controls by continuously scanning the company’s infrastructure. “Vanta’s dashboard is very clear,” Cunningham said. “It has good analytics and control breakdown. I don’t think we’ve had a single issue, which is extremely rare in security.” 

In addition to a seamless audit and intuitive integrations, Flo experiences constant, personalised support from Vanta’s team of experts. “Our CSM is an absolute superstar. We couldn’t have asked for a better person to help us on this journey,” Cunningham said. “He’s always on hand and he plays a key part in making sure that we are set up for success. That’s a testament to the type of people Vanta hires.” 

“To further compliment Vanta, we’ve had excellent account management and support. It’s probably been the easiest adoption of any security tool that I’ve seen in about fifteen years.” 

Flo is officially the first period and ovulation tracker to be ISO 27001 certified. “Getting ISO 27001 was a major milestone for us,” Cunningham said. According to Sensor Tower in June 2022, Flo became the #1 women’s health app worldwide based on App Store downloads. 

Staying true to its commitment to security, Flo Health views ISO 27001 as a continuous process. Cunningham’s teams use Vanta on a daily basis to collect evidence for their annual ISO audit. Looking forward, Flo Health is exploring ISO 27701 with Vanta to continue its reputation for world-class security.