Table of Contents
The Challenge: Speed vs. Compliance
When Flo Health decided to build regulatory-ready infrastructure for its health features, the company faced a dilemma many digital health companies know all too well: how to establish robust compliance foundations without sacrificing the speed that made it successful in the first place?
Flo is not a small operation. The company serves over 420 million users globally, making it the world’s leading FemTech app and the number one OB-GYN-recommended app. Approximately one in five women aged 18-35 in both the United States and the United Kingdom use the app. The engineering team runs around 400 concurrent A/B tests at any given time and executes more than 1,000 A/B tests per year. They release daily.
For a company moving at that pace, the prospect of introducing a Quality Management System felt daunting. As Roman, Flo’s Chief Technology Officer, explained during a recent discussion about the company’s regulatory journey, the concern was real: would introducing QMS slow down innovation and feature development?
The 87-Day Timeline
Working with compliance partner Ketryx, Flo accomplished what many in the industry would consider remarkable: going from wanting to build regulatory-ready infrastructure to having it operational in approximately 87 days.
The process broke down into two main phases. The first two weeks focused on planning and setup—building a common language for regulated application development, agreeing on shared goals, and mapping existing development workflows with processes needed for regulatory compliance.
The remaining eight weeks involved intensive sprints: training the team, integrating with repositories and testing solutions, connecting JIRA and other systems, hooking into CI/CD pipelines to automatically capture build, test, and deployment evidence, and generating a Design History File. The goal was to create traceability matrices directly from source systems while performing risk analysis and threat modeling as part of a typical SaaS and AI workflow.
The Strategic Architecture Decision
One of the most critical decisions the team made was an architectural one. Rather than placing their entire app under QMS—which would have created an unnecessary burden on features that don’t require heightened regulatory oversight—they designed a flexible, modular approach.
Simas, Director of Engineering at Flo and previously Director of Software as a Medical Device at AstraZeneca, led much of this architectural thinking. As he explained, regulators have been clear that they expect software interoperability and recognize the principle of systems of systems. The approach involved carefully identifying which functions might benefit from enhanced quality processes and isolating them, while keeping the rest of the app operating under standard development workflows.
This meant some engineers worked within QMS processes, while others continued working outside of it. The app’s community feature—a social function that allows users to communicate with each other—doesn’t require the same level of regulatory consideration. Meanwhile, more sophisticated health capabilities, such as symptom evaluations and risk assessments, benefit from the additional rigor.
What Actually Changed for Engineers
The team set explicit goals: no decrease in developer satisfaction for teams working in QMS versus those who don’t, and no decrease in speed in either group.
According to Roman, engineers’ day-to-day work has changed very little. The company still operates at the same speed and agility as before, but now with a more robust compliance infrastructure in place. Most regulatory and compliance processes are automated and run in the background.
Simas offered an even more optimistic perspective: the engineering teams working within the quality management system may have actually gotten faster, in part because engineers are excited about the possibilities this infrastructure enables. The work carries additional meaning—they’re building toward more sophisticated health capabilities.
The Role of Automation
A core principle throughout the transformation was maximizing automation. As Roman put it, engineers should focus on building software, not on managing spreadsheets or completing checkbox exercises. When you ask engineers to do manual compliance steps, they become bored, churn increases, and productivity drops.
Automation serves another purpose: reducing human error. Manual processes invite mistakes—copy-paste errors, skipped steps, inconsistent documentation. Once processes are automated and compliance checks are in code, they become repeatable and less error-prone.
The team integrated their compliance tooling into their CI/CD pipeline, automatically capturing artifacts. They explored using AI to analyze pull requests, find relevant items in their compliance system, and keep design history files up to date as a reflection of code changes. While there’s still a human in the loop to ensure processes run correctly, the goal is to direct the engineer’s intellect at reviewing outputs rather than manually copying information.
Why Regulatory Readiness Matters for Flo Health
Flo has evolved significantly since its early days. The company invested in medical safety and accuracy from the beginning, establishing a medical board to oversee feature development and employing in-house doctors. But as Roman explained, the company was essentially a digital version of a health book—providing health insights and information.
The ambition now is different. Flo is no longer a mere period tracking app, but an essential health partner for women throughout their entire lives—from early days through perimenopause and menopause. This shift requires building infrastructure that can support increasingly sophisticated health features, whatever form those might take in the future.
AI plays a significant role in this evolution. Machine learning models already underpin key features, such as cycle predictions. AI is also embedded in how the company works—engineers use it to write code and documentation, and it serves as a tool for content generation and review. As Simas noted, AI is clearly not going anywhere, so the company needs to find ways to maintain agility and speed while having AI at the core of the product.
Lessons for Other Digital Health Companies
The Flo team offered several pieces of advice for others embarking on similar journeys.
Start early. Roman emphasized that companies shouldn’t wait until there’s an urgent need to build regulatory infrastructure. Good engineering processes—CI/CD, integrated tools that speak to each other, proper ticket management—should be in place regardless. These foundations enable QMS implementation to proceed quickly when the time comes.
Think of compliance as a growth enabler, not a burden. Roman’s framing was direct: if you’re in a regulated environment and you can release twice as fast as your competitor, you’ll be twice as successful as a business. It becomes a competitive advantage.
Design compliance into the organization. Timothy, Flo’s Chief Legal and Compliance Officer, emphasized compliance by design. The best compliance is embedded in the organization’s design and its systems, allowing people to follow requirements without constantly observing rigid rules—because the systems are built that way.
Automate everything possible. Simas’s advice was simple: automate as much as possible so engineers can focus on building things rather than manually documenting what they’ve built.
The Bigger Picture
Flo’s journey reflects a broader shift in digital health. Named one of Time Magazine’s Best Inventions of the Year and backed by a $200 million funding round led by General Atlantic, the company represents a new generation of consumer health apps building foundations that can support whatever the future of digital health requires.
The company’s scale is significant—a 200+ person global engineering, data science, and security organization. But perhaps more important is their commitment to serving users regardless of their ability to pay. Through their “Pass it On Project,” the app is free in many countries, including India, Ukraine, and across Africa, reflecting a belief in investing in health education and empowering women worldwide.
By building regulatory-ready infrastructure now, Flo has positioned itself to pursue increasingly sophisticated health capabilities as the digital health landscape evolves. And they’ve shown it’s possible to get there in 87 days without sacrificing the experimentation and speed that built the company in the first place.