--- title: "Security & Infrastructure" url: https://flexie.io/security-infrastructure description: "Flexie's security measures and EU/EEA hosting infrastructure (OVH, Hetzner, AWS EMEA), plus AI data controls and customer responsibilities." --- Legal # Security and Infrastructure Overview Effective date: 10 May 2026 ## 1\. Purpose This page explains, in plain terms, how Flexie protects your data and runs its infrastructure. It is informational and does not replace the Terms, Privacy Policy, Data Retention Policy, or Data Processing Agreement. ## 2\. Where your data is hosted Flexie runs on European infrastructure. Core hosting, compute, storage, and backups of Customer Data are kept in EU/EEA data centers, provided by: * **OVH SAS**, 2 Rue Kellermann, 59100 Roubaix, France. * **Hetzner Online GmbH**, Industriestr. 25, 91710 Gunzenhausen, Germany. * **Amazon Web Services EMEA SARL**, 38 avenue John F. Kennedy, L-1855 Luxembourg. These are Flexie's only infrastructure sub-processors. Services that a customer connects through integrations (for example, their own telephony, email, or AI provider) are the customer's vendors, not Flexie's sub-processors. ## 3\. Encryption * **In transit:** HTTPS/TLS is enforced for all web and API access. Flexie does not accept non-encrypted connections. * **At rest:** stored data is encrypted. ## 4\. Access and authentication * Two-factor authentication (2FA) is available for user accounts. * Role-based access control with least-privilege access, so people and systems can reach only what they need. * Logical separation between tenants, keeping each customer's data isolated from others. ## 5\. Monitoring, backups, and resilience * Security logging and monitoring to detect and investigate suspicious activity. * Regular backups with recovery procedures, so data can be restored after a failure. ## 6\. Operational security * Timely patching and server hardening. * Documented internal security procedures that are strictly applied and maintained on an ongoing basis. * A defined incident response process for security incidents and personal data breaches. ## 7\. AI and integration data controls Flexie does not operate AI models or communication channels itself. Calls, email, messaging, and AI run through services the customer connects and controls. Where data is sent to those services, it is sent on the customer's instruction and configuration. Flexie provides field-level permission and exclusion controls so customers can keep selected fields, such as phone numbers, email addresses, identifiers, or sensitive notes, out of AI-related workflows or external payloads. Customers choose what is sent and which fields are excluded. ## 8\. Shared responsibility Security is a partnership. Flexie secures the platform and the infrastructure it runs on. Customers are responsible for their own users and roles, account credentials, two-factor enrolment, workflow logic, integration endpoints and credentials, AI vendor selection, field-exclusion settings, and using the Service in line with applicable law.