Certifications
- SOC 2 Type II — audited annually.
- PCI DSS Level 1 — the highest tier of card-data compliance.
- FDIC-insured banking partners — balances are held at insured US institutions.
Data protection
- TLS 1.2+ required for every request; older versions rejected at the load balancer.
- Data encrypted at rest with AES-256.
- PANs, CVVs, and PINs never appear in your logs — they’re only accessible through PCI-compliant widgets.
- Secrets rotated automatically; API keys and OAuth secrets can be rotated on demand from the dashboard.
Fraud monitoring
- 24/7 fraud operations team monitoring transactions in real time.
- ML-based scoring on every authorization.
- Automatic velocity checks; you can add your own rules via the dashboard.
- Optional manual review holds for high-risk flows.
Your responsibilities
- Never ship
clientSecretvalues to a client. Mint access tokens on your server. - Verify webhook signatures before trusting a payload. See Configure App Widget for webhook URL setup.
- Scope tokens narrowly. Only request the scopes you actually use — mint a new token when you need broader access.
- Persist your own operation IDs so retries land safely under de-duplication (see Idempotency).
- Rotate application secrets on employee turnover and after any suspected exposure.
Reporting a vulnerability
Emailhumans@fluz.app with reproduction steps. We acknowledge within one business day and coordinate disclosure timelines with reporters.