Privacy Policy

1. Introduction

FLXBL Solutions PTY Ltd (“FLXBL Solutions,” “we,” “us,” or “our”) is committed to protecting the privacy and confidentiality of information entrusted to us by our clients, partners, employees, and website visitors.

This Privacy Policy describes how we collect, use, disclose, retain, and protect information in the course of providing our Salesforce Platform Engineering solution and related services. It applies to all personnel, contractors, and third parties acting on behalf of FLXBL Solutions.

FLXBL Solutions is an Australian company (PTY Ltd) operating as a remote-first organisation.

2. Scope

This policy applies to:

• All data and information processed by FLXBL Solutions in the delivery of its Salesforce Platform Engineering solution and managed services
• Information collected through our website and digital platforms
• Employee and contractor personal information
• All organisational systems, processes, and third-party services used in operations

3. Service Description and Data Processing

3.1 Nature of Our Services

FLXBL Solutions provides a purpose-built Salesforce Platform Engineering solution that enables development teams to automate and streamline their Salesforce release management, CI/CD pipelines, and deployment processes. The platform is available as:

• A managed service hosted on dedicated, isolated infrastructure per client
• A self-hosted solution deployed on the client's own infrastructure

The platform integrates with client Salesforce orgs and Version Control systems via API tokens to manage metadata, configuration, and code across environments.

3.2 Data We Process

In the course of delivering our services, FLXBL Solutions processes the following types of client-scoped data:

• Salesforce metadata (e.g., object definitions, field configurations, automation rules)
• Salesforce configuration data
• Source code and deployment artifacts
• CI/CD pipeline configurations and logs

3.3 Data We Do Not Process

FLXBL Solutions does not collect, access, process, store, or retain personally identifiable information (PII) as part of its service delivery. Our platform operates exclusively on Salesforce metadata and configuration data. We do not access data records within clients' Salesforce orgs.

Specifically, we do not process:

• Personal data or PII of any classification
• Protected Health Information (PHI)
• Financial or payment card data
• Consumer report information
• Data of minors
• Data subject to GLBA, HIPAA, FACTA, or equivalent regulations
• EU/UK personal data or sensitive personal data as defined under GDPR
• Personal information as defined under PIPEDA or Canadian provincial privacy regulations
• Personal information as defined under U.S. State Privacy Regulations (e.g., CCPA, CPRA)

4. Information We Collect

4.1 Business Contact Information

We may collect business contact information from clients, prospects, and partners for the purpose of managing business relationships, including:

• Names and job titles
• Business email addresses
• Business phone numbers
• Company names

This information is collected directly from the individuals concerned or from publicly available business sources.

4.2 Employee and Contractor Information

We collect and process personal information from employees and contractors as necessary for employment and engagement purposes, in compliance with applicable Australian employment and privacy laws (including the Privacy Act 1988 and the Australian Privacy Principles).

4.3 Website and Platform Information

Our website and platform may collect standard technical data for operational and security purposes, including:

• IP addresses
• Browser type and version
• Usage patterns and access logs
• Authentication and session data for authorised platform users

4.4 Client Service Data

As described in Section 3.2, we process Salesforce metadata and configuration data on behalf of our clients. This data is processed solely for the purpose of delivering our DevOps services and is not used for any other purpose.

5. How We Use Information

We use the information we collect for the following purposes:

• Service delivery: To provide, operate, and maintain our Salesforce Platform Engineering solution and managed services
• Client communication: To communicate with clients regarding service delivery, support, and account management
• Security and compliance: To monitor, detect, and respond to security threats and to comply with our legal and contractual obligations
• Business operations: To manage employee and contractor relationships, financial administration, and business development activities
• Improvement: To improve our platform, services, and user experience
• Legal compliance: To comply with applicable laws, regulations, and contractual requirements

We do not sell, rent, or trade any information to third parties.

6. Data Minimisation

FLXBL Solutions adheres to the principle of data minimisation. We collect and process only the information that is necessary for the specific purposes described in this policy. Access to information is restricted to authorised personnel on a need-to-know basis, enforced through role-based access controls monitored via Vanta, our compliance automation platform.

7. Information Sharing and Disclosure

7.1 Third-Party Service Providers

We engage the following categories of third-party service providers who may have access to information in the course of service delivery:

• Cloud infrastructure providers (Hetzner, AWS) — hosting of the managed service platform on dedicated, isolated infrastructure per client
• SaaS tools — for internal operations, communication, and business management
• Compliance and security tools (Vanta) — for compliance automation, monitoring, and evidence collection

All third-party providers are subject to contractual agreements that include data protection, confidentiality, and security obligations. Third-party relationships are tracked and monitored through Vanta.

7.2 Client Platforms

The FLXBL platform integrates with client Salesforce orgs and GitHub repositories via API tokens provided by the client. Access is limited to the metadata and configuration data necessary for service delivery.

7.3 Legal Requirements

We may disclose information where required by law, regulation, court order, or other legal process, or where necessary to protect the rights, safety, or property of FLXBL Solutions, our clients, or others.

7.4 No Sale of Information

FLXBL Solutions does not sell, rent, or trade personal information or client data to any third party.

8. Data Security

FLXBL Solutions implements administrative, technical, and physical safeguards to protect information against unauthorised access, disclosure, alteration, or destruction. These safeguards include:

• Encryption: Data is encrypted in transit (TLS) and at rest
• Access controls: Role-based access control and the principle of least privilege are enforced across all systems; multi-factor authentication (MFA) is required for all critical systems
• Endpoint security: All company-managed devices are secured with full disk encryption, endpoint detection and response (EDR) software, and automated patching
• Monitoring: Continuous security monitoring via Vanta, including automated compliance checks, vulnerability tracking, and alerting on security events
• Infrastructure isolation: Client environments are dedicated and isolated on Hetzner and/or AWS infrastructure
• Incident response: A documented Incident Response Plan is maintained covering identification, containment, eradication, recovery, and lessons learned
• Vendor security: Third-party providers are assessed and monitored through the vendor risk management program

FLXBL Solutions is currently pursuing ISO 27001 certification to further formalise its information security management system.

9. Data Retention and Disposal

We retain information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws and contractual obligations. Our Data Retention Policy defines specific retention periods based on data classification.

When information is no longer required, it is securely disposed of using methods appropriate to the data type and classification, including secure deletion of electronic records.

Client-scoped data is retained in accordance with contractual agreements and securely deleted upon contract termination or at the client's request, subject to any applicable legal retention requirements.

10. Use of Artificial Intelligence

FLXBL Solutions uses AI tools in its development workflow. These tools are used to assist with code quality and development efficiency.

• AI tools are used on source code and metadata only — no personal data is processed by AI tools
• AI-generated outputs (e.g., code suggestions) are subject to human review before acceptance
• The organisation is developing formal AI governance policies to address risk management, acceptable use, and regulatory requirements as part of its compliance maturity program

11. International Data Considerations

FLXBL Solutions is headquartered in Australia. Client-scoped data (Salesforce metadata and configuration data) may be processed and stored on infrastructure located in jurisdictions where Hetzner and AWS operate data centres.

As FLXBL Solutions does not process PII, the data processed is not subject to international privacy transfer mechanisms such as GDPR Standard Contractual Clauses or APEC Cross-Border Privacy Rules. Where client contracts specify data residency requirements, these are accommodated through the selection of appropriate hosting regions.

12. Client Rights and Responsibilities

12.1 Client Access

Clients retain ownership of their scoped data (Salesforce metadata and configuration data) at all times. Clients may request access to, correction of, or deletion of their data in accordance with the terms of their service agreement.

12.2 API Tokens and Credentials

Clients are responsible for managing API tokens and credentials used to integrate the FLXBL platform with their Salesforce orgs and repositories. FLXBL Solutions does not access or use these credentials for any purpose other than delivering the contracted services.

13. Employee and Individual Rights

Employees, contractors, and individuals whose business contact information we hold may:

• Request access to the personal information we hold about them
• Request correction of inaccurate or incomplete information
• Request deletion of their information, subject to legal and contractual retention requirements
• Withdraw consent to processing, where consent is the basis for processing

Requests can be directed to the Privacy Contact listed in Section 16 of this policy.

14. Policy Compliance and Enforcement

All FLXBL Solutions personnel and contractors are required to comply with this Privacy Policy. Compliance is monitored through Vanta, which tracks policy acknowledgment, security training completion, and adherence to data protection controls.

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or engagement.

15. Policy Review

This Privacy Policy is reviewed at least annually and updated as necessary to reflect changes in the organisation's operations, legal requirements, or industry best practices. Material changes will be communicated to relevant stakeholders.

16. Contact Information

For questions, concerns, or requests relating to this Privacy Policy or the handling of your information, please contact:

FLXBL Solutions PTY Ltd
Email: info@flxbl.io
Website: https://flxbl.io

17. Australian Privacy Act Compliance

FLXBL Solutions complies with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). While the primary services provided by FLXBL Solutions do not involve the processing of personal information as defined under the APPs, we are committed to upholding the principles of the Act in all aspects of our operations, including our handling of employee data and business contact information.

Individuals who believe their privacy has been breached may lodge a complaint with:

• FLXBL Solutions using the contact details provided in Section 16
• The Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au