> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fluz.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & compliance

> How Fluz protects funds, customer data, and card credentials — and what that means for your integration.

Fluz is built to keep you out of scope for the parts of financial infrastructure that are hardest to get right.

## Certifications

* **SOC 2 Type II** — audited annually.
* **PCI DSS Level 1** — the highest tier of card-data compliance.
* **FDIC-insured banking partners** — balances are held at insured US institutions.

## Data protection

* TLS 1.2+ required for every request; older versions rejected at the load balancer.
* Data encrypted at rest with AES-256.
* PANs, CVVs, and PINs never appear in your logs — they're only accessible through PCI-compliant [widgets](/developers/widgets).
* Secrets rotated automatically; API keys and OAuth secrets can be rotated on demand from the dashboard.

## Fraud monitoring

* 24/7 fraud operations team monitoring transactions in real time.
* ML-based scoring on every authorization.
* Automatic velocity checks; you can add your own rules via the dashboard.
* Optional manual review holds for high-risk flows.

## Your responsibilities

1. **Never ship `clientSecret` values to a client.** Mint access tokens on your server.
2. **Verify webhook signatures** before trusting a payload. See [Configure App Widget](/developers/configure-app-widget) for webhook URL setup.
3. **Scope tokens narrowly.** Only request the scopes you actually use — mint a new token when you need broader access.
4. **Persist your own operation IDs** so retries land safely under de-duplication (see [Idempotency](/concepts/idempotency)).
5. **Rotate application secrets** on employee turnover and after any suspected exposure.

## Reporting a vulnerability

Email `humans@fluz.app` with reproduction steps. We acknowledge within one business day and coordinate disclosure timelines with reporters.
