Skip to main content
Fluz is built to keep you out of scope for the parts of financial infrastructure that are hardest to get right.

Certifications

  • SOC 2 Type II — audited annually.
  • PCI DSS Level 1 — the highest tier of card-data compliance.
  • FDIC-insured banking partners — balances are held at insured US institutions.

Data protection

  • TLS 1.2+ required for every request; older versions rejected at the load balancer.
  • Data encrypted at rest with AES-256.
  • PANs, CVVs, and PINs never appear in your logs — they’re only accessible through PCI-compliant widgets.
  • Secrets rotated automatically; API keys and OAuth secrets can be rotated on demand from the dashboard.

Fraud monitoring

  • 24/7 fraud operations team monitoring transactions in real time.
  • ML-based scoring on every authorization.
  • Automatic velocity checks; you can add your own rules via the dashboard.
  • Optional manual review holds for high-risk flows.

Your responsibilities

  1. Never ship clientSecret values to a client. Mint access tokens on your server.
  2. Verify webhook signatures before trusting a payload. See Configure App Widget for webhook URL setup.
  3. Scope tokens narrowly. Only request the scopes you actually use — mint a new token when you need broader access.
  4. Persist your own operation IDs so retries land safely under de-duplication (see Idempotency).
  5. Rotate application secrets on employee turnover and after any suspected exposure.

Reporting a vulnerability

Email humans@fluz.app with reproduction steps. We acknowledge within one business day and coordinate disclosure timelines with reporters.