Security at FiorLab

Encryption

All data transmitted between your browser and FiorLab is encrypted using TLS 1.2 or higher. Data stored in our database is encrypted at rest using AES-256 encryption, managed by Google Cloud Platform's key management infrastructure. Database backups are also encrypted.

Authentication & Access Control

FiorLab uses Firebase Authentication with the following security measures:

• Email verification required before account activation
• Password policy: minimum 8 characters with uppercase, lowercase, number, and special character
• Google OAuth 2.0 single sign-on supported
• Role-based access control (RBAC) with three roles: Buyer, Supplier, and Admin
• Suppliers can only access their own data; Buyers can only access suppliers in their registry
• Session tokens expire and require re-authentication

Audit Trail

Every significant action in FiorLab is recorded in an immutable audit log, including:

• Assessment runs (individual and bulk) with scores and risk ratings
• Contract creation, signing, and status changes
• Document uploads and report downloads
• RFP creation, proposal submissions, and awards
• Supplier invitations and profile updates

Each log entry records the actor (who), action (what), timestamp (when), and full metadata. Audit logs are retained for a minimum of 7 years to meet financial services regulatory requirements.

Infrastructure & Data Residency

FiorLab runs on enterprise-grade cloud infrastructure with data stored within the European Union.

Our infrastructure provider, Google Cloud Platform, maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS certifications.

Regulatory Compliance

FiorLab is designed to support organisations operating under:

• GDPR: Full compliance with EU data protection requirements. Privacy by design principles. Data subject rights supported. Data Processing Agreement available.
• DORA: Built-in ICT third-party risk management controls aligned with the Digital Operational Resilience Act requirements.
• CBI Outsourcing: Assessment frameworks aligned with Central Bank of Ireland outsourcing guidance for regulated financial services firms.
• GxP / EU GMP: Pharmaceutical compliance covering 9 requirement areas — Quality Management (ICH Q10), Data Integrity (ALCOA+), Computerised Systems Validation (Annex 11), Supplier Qualification (EU GMP Ch. 5), Deviation & CAPA, Change Control, Training, Batch Documentation, and GDP/Cold Chain (HPRA).
• EBA / MiFID II / PSD2 / Solvency II: European financial regulatory overlays for banking, investment services, payment institutions, and insurance sectors.

While FiorLab itself is not yet ISO 27001 certified, we are working toward certification and our infrastructure providers hold this and other relevant certifications.

Incident Response

FiorLab maintains a documented incident response procedure:

• Detection: Automated monitoring and alerting on infrastructure and application anomalies.
• Response: Designated security team triages and investigates within 4 hours of detection.
• Notification: Affected customers notified within 48 hours of confirmed data breach, per GDPR Article 33.
• Remediation: Root cause analysis and corrective measures documented and implemented.
• Reporting: Supervisory authority (DPC Ireland) notified within 72 hours where required.

Responsible Disclosure

If you discover a security vulnerability in FiorLab, we encourage responsible disclosure. Please report any security issues to security@fiorlab.com. We will acknowledge receipt within 24 hours and work with you to understand and resolve the issue. We will not take legal action against good-faith security researchers.