[EN] [Pingflow] Security policy & compliance

Security & Compliance

A question of trust and reliability

From the very beginning, we have built Pingflow with data protection and security as our top priority. Information security is an ongoing effort, which is why we continually improve our information security program and ensure that best practices are integrated both within our organization and on our platforms.

Pingflow follows the principles of Secure by Design, being built using modern technologies offering agility, performance, reliability, availability and a level of information security and privacy that enables us to meet our customers’ most stringent requirements.

Terms and conditions of sale

Application Security

How is security integrated into the solution development cycle?

At Pingflow, we use DevOps and Continuous Delivery models. In this context, where software and infrastructure deployments are highly automated, and software deliveries are frequent, the integration of security into the software development cycle is essential.

This development cycle has been designed to ensure that security and confidentiality are an integral part of the development and delivery process.

How are Pingflow solutions available?

Pingflow offers various software solutions available as a service (SaaS), providing you with constant access to the most up-to-date and advanced application, and requiring no maintenance or upgrades on your part.

How is my data protected?

Your data is encrypted in transit using the Transport Layer Security (TLS) 1.2 protocol;
Your data is encrypted at rest using 256-bit AES, one of the strongest block ciphers available;
We protect your data from unauthorized access with multiple access management controls.
We perform version management, and will never delete your data;
Your data is backed up daily and copied off-site.
External data accessed by the Pingview product is not stored, but only kept in a temporary cache that is naturally deleted after one cycle (1h for data sources and 7d for webhooks).

What user identity models and authentication options are supported?

You can choose from two identity models with Pingflow:

Single Sign-On (SSO): an open standard used by identity providers and Single Sign-On (SSO) services to manage user accounts among SaaS providers, including Pingflow .
SAML-based (only for Table powered by Baserow with dedicated instance)
You can integrate the « Table Â» database with your corporate credentials repositories using Security Assertion Markup Language (SAML v2.0) to retain full control of the authentication process. You can also automatically provision and deprovision your users in Table with System for Cross-domain Identity Management (SCIM).

Pingflow accounts

You can also manage user accounts directly in Pingflow.
Minimum password policy (12 characters, 1 special character, etc.)
All accounts are monitored by our security systems and automatically blocked in the event of a brute-force attack (10 unsuccessful attempts over 24 hours).
Identifying information is never stored in a user-readable format; we use a secure one-way hashing algorithm with salting.

How can I limit access to my Pingflow instance?

Access to your Pingflow instance is governed by the roles and access rights configured by your Pingflow administrators.
Customers can choose to restrict access to one or more specific IP ranges so that their instance is only accessible in designated physical locations and through their VPN.
Pingflow also supports access restrictions based on a unique cookie loaded into the web browser accessing the service, the password, as well as SSO login on temporary display points.

How do you manage vulnerabilities?

Pingflow’s security team uses a combination of automated and manual vulnerability scanning to detect, or confirm, the presence of vulnerabilities in our infrastructure and SaaS application. Our security team is responsible for the assessment, prioritization and remediation of confirmed vulnerabilities.

Security of Operations

How do you back up our data?

Customer data is stored redundantly in multiple locations in Pingflow’s hosting provider data centers to ensure availability. Customer data is backed up daily and replicated in near-real time to the designated secondary region of Microsoft Azure.
Backups are performed with no impact on customer data availability. Pingflow’s operations and IT infrastructure can therefore be easily recovered and restored when necessary.
Pingflow regularly tests its disaster recovery measures to ensure adequate resolution of a major disaster.

How can you ensure Pingflow’s availability?

Our team has architected, conceptualized and coded Pingflow’s solutions according to cloud computing principles. Pingflow takes full advantage of Microsoft Azure infrastructure services to offer a high level of availability seamlessly distributed across multiple data centers (Microsoft Azure Availability Zones).

How do you handle security incidents?

Security policy

Data Privacy, Ownership and Control

Who owns the data we store in your service?

You retain full ownership and control of your data.

What happens to our data when we cancel our subscription to Pingflow?
Pingflow will make your data available for retrieval for a period of 60 days following the end of your subscription to give you time to retrieve your data. After this 60-day period, Pingflow will deactivate the account and all copies of your data will be securely deleted.

How do I retrieve our data?

You can export your wallboards in .pingview format.
You can retrieve your data from the no-code Table powered by Baserow database in JSON format using the Pingflow RESTful API or .csv.

How can you be sure that all our data has been deleted?

We have a procedure for the secure deletion of customer data in the event of unsubscription. The task will be assigned to a Pingflow system administrator who will delete all customer data: database, file storage, data backups, encryption keys, as well as your Pingflow instance.

Hosting infrastructure

Where will my data be hosted?

We host Pingflow in France or Europe in Microsoft Azure data centers, the leading provider of Infrastructure as a Service (IaaS).
For more information on their certification and compliance program, please visit the following sites:

  • Azure compliance documentation | Microsoft Learn
  • Our certifications & security | Scaleway

Service Level Agreement ENS


Pingflow is committed to protecting your data, including your employees’ personal information. Consequently, we help your organization demonstrate compliance with privacy laws and regulations, such as the RGPD.

For more information, see our privacy policy

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) seeks to overhaul existing rules and guidelines on how organizations can process the personal data of EU citizens. Its aim is also to standardize data protection laws across Europe.

Privacy policy

What personal information do we collect and process?

When using our services, Pingflow may collect and process two categories of data: customer data and other information.

Customer data: This category includes all personal or non-personal information that the customer may have submitted when interacting with our (Pingflow) services. This category also includes certain types of information or data indirectly created by the customer’s use of our (Pingflow) services, such as, but not limited to, Pingflow application logs, support conversations, etc. It is the customer’s responsibility to verify the legal basis for the collection and processing of personal information through Pingflow’s services (Pingflow), and to manage the requests of any data subjects.

Other information: Pingflow must, in its legitimate interests, collect and process personal information in order to operate as a business. Pingflow may collect and process personal information about its users to carry out its billing, accounting and auditing activities. Pingflow may also send satisfaction surveys to certain users, and collect their responses in order to improve its services and offers to current and future customers. This information is used for internal purposes only.

Who is the data controller and data processor?

As mentioned above, Pingflow collects and processes two categories of data: customer data and other information.
The customer is the data controller for customer data, and Pingflow is the data processor. For other information, Pingflow is the data controller.

How long do we keep personal information?

Customer data: Pingflow will retain all customer data in accordance with the customer’s instructions. Typically, Pingflow will retain all customer data until the end of the data processing services between the customer and Pingflow. The customer may be able to modify or delete any information directly in the Pingflow service, and may request assistance from Pingflow when necessary.

Other information: Pingflow will retain any other information for as long as is necessary to satisfy its legitimate business interests, as set out above in the section « How we handle data subject requests Â».

How do you handle requests from data subjects?

With the new provisions of the RGPD, you have the right to request the following: Right to be forgotten, Right to object, Right to rectification, Right to data portability, Right to access.
Pingflow handles requests from data subjects differently depending on the type of information:
Customer data: in the event that Pingflow receives a request from a data subject in relation to customer data, Pingflow will forward the request to the customer, who acts as data controller. Pingflow never acts without the customer’s instructions. It is the customer’s responsibility to manage such requests. Wherever possible, Pingflow may assist the client if it is unable to fully satisfy the data subject’s request.
Other information: Pingflow will manage requests from data subjects in connection with other information.

Is it possible to sign a DPA with Pingflow to ensure RGPD compliance?

Yes, Pingflow provides its customers with a Data Processing Addendum (DPA).


Access & data collected:

Google user data is accessible via a delegated token, created by SSO authentication. User data can be accessed by queries created by the same user.

Only data accessible or held by the user who created the token on their behalf is accessible by this same token.

List of data that can be accessed:

  • Drive

    • View and download all your files in Google Drive
    • View photos, videos and albums in Google Photos
    • View information about your Google Drive files
  • Email and user account

    • View your data in Google Cloud services and see your Google account email address
  • Youtube

    • View your YouTube account
    • View YouTube Analytics reports related to your YouTube content
  • Contacts

    • View and download your contacts
  • Google Slides

    • View all your Google Slides presentations
  • Sheets

    • View all your Google Sheets spreadsheets
  • Calendar

    • View and download all calendars you have access to using Google Calendar
  • Google Analytics

    • View and download your Google Analytics data
  • Google chat

    • View and manage your conversations and availability
  • Blogger

    • Consult your Blogger account
  • AdSense

    • View your AdSense data
  • Google Tag Manager

    • View your Google Tag Manager container and its subcomponents
  • Search Console

    • View Search Console data for your verified sites
  • Tasks

    • View your tasks
  • Google Cloud Storage

    • View your data in Google Cloud Storage

Use of data:

We store the delegated token in our digital vault. This token, or the data passing through Pingview, is not shared with any third parties. This data is used by the user in wallboards dedicated to on-screen displays. The data can be formatted and displayed by the user who created the delegated token, and then be broadcast on a dynamic display in real time.

Data sharing:

All data retrieved for use in Pingview is stored in a cache for up to 1 hour. The data extracted via this token, and which passes through our platform, is not shared outside the application. No third parties have access to the data.