Flowz is a SaaS tool that reports compliance with GDPR data protection legislation.
Flowz distributed model: information risk reporting (article 32), Data Protection Impact Assessment (DPIA) (article 35), data flow mapping, Records of Processing Activity (article 30), Accountability (article 5), supports data breach reporting (article 33), management control (article 29).
- Data Flow Mapping processes to information assets (GDPR articles 32/35)
- Information Asset Register (GDPR articles 30/32)
- Distributed model with RBAC/LR access controls mapped to organisation hierarchy
- Customer configurable user role profiles and per user
- Drilldown information risk dashboard and reporting module (GDPR article 32)
- Data Subject Access Requests (DSARs) model with health workflow option
- User configurable data exports to Microsoft Excel
- Delivered as a distributed Cloud Service (Saas) with user branding
- Preconfigured versions available for public sector inc health, LA, HE
- Data Protection Impact Assessment (DPIA) (GDPR article 35)
- Supports requirements of Article 30 of GDPR (and many others)
- Dashboards and reporting help manage Information Risk more effectively
- Engages users and managers in 'owning' use of personal information
- Risk assessment of each individual Flow and Asset
- Fully configurable picking lists
- Fully configurable risk profiles tuned to corporate risk appetite
- Reports enable project work based on risk or potential savings
- Links to Single Sign-On (SSO) to enable easier user access
£3000 per licence per year
- Education pricing available
- Free trial available
0330 124 1966
|Software add-on or extension||No|
|Cloud deployment model||Public cloud|
|System requirements||Internet access|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
9.00am - 5.30pm Monday to Friday only.
Responses will usually be within an hour, but our SLA differs dependent on agreed severity.
P1 (Flowz rendered unusable by a problem) - 4 hours.
P2 (Problem affecting the data being stored within Flowz) - 1 Working Day.
P3 (Regular problem that doesn't seriously affect routine working) - 5 Working days.
P4 (Infrequent problem which does not seriously affect routine working) - 10 Working days.
P5 (Clarification request about the data being displayed/reported by Flowz) - 5 Working days.
Wish list (Request for additional functionality) - Next User Group meeting
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Web chat support||Web chat|
|Web chat support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support accessibility standard||None or don’t know|
|How the web chat support is accessible||
A standard Dialog box appears when anyone visits our Web site, a facility provided by HubSpot, the CRM system we are using. The end user will initiate the chat and type in their query, which
will send a message to the Help Desk software and also any Administrators logged in.
|Web chat accessibility testing||We have tested internally and all works fine.|
|Onsite support||Yes, at extra cost|
During the deployment of the Flowz system, we will provide as much support as the customer requires. This usually involves the following.
1. On-site Deployment Workshop
• Discuss and agree the configuration of your Flowz system, along with the associated drop-down list entries and User Hierarchy, roles etc.
2. System Configuration (off-site)
• Create your Flowz instance and configure it to the agreed specification from the Workshop day
3. Data Migration
• Import existing sources of data i.e. spreadsheet.
4. On-site Training
• Provide training for trainers and System Administrators/ IT team in the use and configuration of Flowz
• Training can be delivered on-site or via a series of WebEx sessions
After the completion of the deployment, support is provided through the Service Desk, our Web site forum and regular Flowz User Group meetings, where customers can meet the Flowz team, including Development staff, share experiences of other users and view functionality enhancements.
|Support available to third parties||Yes|
Onboarding and offboarding
Services are available to assist with the on-boarding of our customers. These include Workshops to discuss configuration, Data Migration and Training.
Training can be for System Administrators, Trainers, or End-users. It can be delivered on-site or via WebEx, dependent on customer preference.
On-line help documentation is also available in the system.
|End-of-contract data extraction||We have a data extraction feature, and can provide data in a variety of formats, for example CSV, Excel etc.|
|End-of-contract process||The extraction of customer data at the end of the contract is provided free of charge,|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||Screen rearranges to suit mobile viewing.|
|Description of customisation||
Almost every element of the system can be tailored by the customer without the need for support, though services are available to train the System Administrators how to best make the changes.
Customisation features will be limited to System Administrators by role-based access.
|Independence of resources||Flowz Limited undertakes regular testing to ensure the system is performing optimally. Infrastructure is scaled accordingly to pre-empt any performance degradation. All elements of the cloud platform are modular and can be expanded quickly and easily as and when additional capacity or performance is required.|
|Service usage metrics||Yes|
|Metrics types||A report of Flowz usage is available upon request, including all Service Tickets logged in the last period.|
|Reporting types||Reports on request|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Baseline Personnel Security Standard (BPSS)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||No|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||Physical access control, complying with another standard|
|Data sanitisation process||No|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Throughout the system, users may export data, for example, search results in grids or reports in Excel.|
|Data export formats||
|Other data export formats||Microsoft Excel|
|Data import formats||
|Other data import formats||Microsoft Excel|
|Data protection between buyer and supplier networks||TLS (version 1.2 or above)|
|Data protection within supplier network||IPsec or TLS VPN gateway|
Availability and resilience
|Guaranteed availability||The system is available 24/7/365 excluding planned maintenance. There will be occasional system maintenance but this will be performed out of business hours wherever possible and will be communicated in advance to the Flowz Service Desk which will contact the customer and agree the maintenance window. Data Centre availability exceeds 99.9% (Tier 3).|
|Approach to resilience||
Flowz is a web service-oriented application (SOA) hosted in Internet Information Services (IIS) utilising SQL Server database services and has been developed using ASP.NET MVC - a Microsoft web application framework which implements the model–view–controller (MVC) design pattern.
Flowz comprises a set of services using Windows Communication Foundation services (WCF) to specify communications protocols, for example SOAP over HTTP, and security mechanisms etc. Individual services deployed on multiple virtual machines facilitates resilience, scalability and availability of the system.
|Outage reporting||Email alerts and Flowz Service Desk customer portal.|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Role-Based Access Control (RBAC) - Only an Administrator or a more Senior User role granted Administrator privileges may alter a User’s access rights. Only trained Users with assigned credentials may access the system and only then within their prescribed user roles, configurable by the customer’s System Administrator.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||Our security policy is regularly updated on our intranet with notifications emailed to all staff and associates. Information security responsibilities form a part of the induction process for all new Flowz Limited employees and are included in the employee’s handbook. Updates to the Acceptable Use policy for customer’s data for staff and associates are distributed by read-receipt email and are posted on our intranet.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||Robust configuration and change management processes ensure changes to the production system environment are fully tested and approved before deployment. Our cloud provider maintains and implements change and configuration approval processes for equipment and devices which support Flowz Limited’s products. Infrastructure and application changes are managed in our change management and helpdesk systems as appropriate. Updates are managed via controls including update base lines and vendor recommendations. Depending on the severity of any vulnerability, required updates can be setup to auto-deploy to minimise the window of risk, however most are tested in a sandbox environment beforehand. Systems are actively monitored.|
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||Updates are managed via controls including update base lines and vendor recommendations. Depending on the severity of any vulnerability, required updates can be setup to auto-deploy to minimise the window of risk, however most are tested in a sandbox environment beforehand. Systems are actively monitored.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||Updates are managed via controls including update base lines and vendor recommendations. Depending on the severity of any vulnerability, required updates can be setup to auto-deploy to minimise the window of risk, however most are tested in a sandbox environment beforehand. Systems are actively monitored.|
|Incident management type||Supplier-defined controls|
|Incident management approach||Crisis and incident management is a key part of our BC and DR policies and is built heavily around the Service Desk system. Major issues and alerts relating to the availability of the Cloud system are automatically logged as new tickets and can be subsequently grouped together as a major incident/crisis. Alerts along with key performance parameters are monitored by the senior engineers, and incident reporting is made via email. All incidents are given a Priority rating and the Response Time will be judged the agreed Service Level Agreement (SLA).|
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£3000 per licence per year|
|Discount for educational organisations||Yes|
|Free trial available||Yes|
|Description of free trial||We have a limited time trial version (up to 28 days) that includes full system functionality.|