The most agile all‑in‑one app ever made.

Cloud and data security is critical to everything we do at Favro.

See why large scale enterprises trust us with their most valuable work.

Keeping the cloud secure

Authentication - SAML and SSO

All plans support SSO via Google and GitHub. On the enterprise plan Favro offers full support for SAML based authentication. We also support third party authentication services OneLogin and Okta via SAML. Favro automatically provisions and disables SAML accounts through the SCIM 1.0 and SCIM 2.0 protocols. Two factor authentication is available for all Favro password accounts.

Encryption - at rest and in transit

Your data is safe. We encrypt all data in transit with TLS 1.2 or later and we carefully enable only ciphers with the highest security. The database is encrypted at rest on the servers in the cloud.

Data in the EU

Many organizations want to gain full control over where their data is physically stored. Sometimes, this is even required under mandatory laws and regulations, where non-compliance might lead to penalties and liability for damages. For this reason, we let all our customers know where their data is stored.
EU was chosen as the lowest common denominator policy for corporations and governments approval globally. Amazon AWS and CityCloud host the cloud servers and are our trusted partners. They are certified for ISO 9001, 14001, 22301, 27001, 27018 and harbour companies like Favro as well as financial institutions. Your data is stored in MongoDB and encrypted at rest. Encrypted backups are performed continuously to at least three locations in the EU with point in time recovery.

In the upcoming Enterprise Plus plan our customers can even select in which part of the world they would like their data to be stored.

People and access

Only a limited number of certified staff within Favro have access to the application cloud where Favro is stored. Administration for the application cloud is done on a segmented network with separate physical network equipment and separate management computers used only for secure management.

Favro continuously monitors the health, security and performance of the cloud.

Organizational governance, policies & procedures

Physical security is one thing, but as a customer you also need to make sure your cloud provider has adopted internal policies and procedures to protect your data. Without such organizational governance in place, physical safeguards can only take you so far. At Favro, we consider it a top priority to maintain the highest level of security for our customers’ data. Our internal security measures include inter alia:

  • Anti-virus.
  • Firewalls.
  • Multifactor user authentication for our employees.
  • Access controls.
  • IT security policy.
  • Thorough recruitment processes when hiring new employees.
  • Restrictions on what kind of information we store.
  • Contingency plan, to prevent loss of data in case of unexpected circumstances.
  • Process in place for monitoring the fulfillment of contractual obligations towards our customers regarding data protection.
  • Training our employees on different aspects of data security and personal data.

Information security compliance and certification

We don't just talk the talk — we walk the walk. Our security and privacy programs have been verified and certified by an independent and accredited third-party ISO/IEC 27001 and ISO/IEC 27701 audits.

In addition, we are PCI DSS (SAQ A 3.2.1) compliant to ensure the highest standards for all our transactions.


Can you confirm that data is stored in data centers exclusively located in Europe?

Until we have implemented customer choice for data locality we have committed to keep the customer data within the EU.

Where is data stored?

All Favro data except uploaded attachments is stored in MongoDB. Uploads are stored in AWS S3 buckets.
Some data such as credit card data is stored by our subcontracts for PCI compliance.

How is access to files in S3 buckets secured?

Buckets have no public access. Access is only granted for upload and download with pre-signed URLs.
The users web browser uploads and downloads directly to/from the bucket with pre-signed URLs.
Read access is granted based on the cards a user has access to. If the user has access to the card, it also has access to the attachments on the card. The browser gets access to the pre-signed URLs only if the user has permission to access the card that the attachment is uploaded to.
The pre-signing URLs that grant read access expire after 24 hours.

What is the retention period for database backups?

Point in time backups are stored for at least 1 month back, and monthly backups are stored for at least 6 months

Is IP address whitelisting available?

We currently don't support IP whitelisting, but on the Enterprise plan you can enable SAML and use the IP whitelisting support of your SAML identity provider.