Certifications
SOC 2 Type II (cert 2026, audit by Schellman). Annual penetration test by Trail of Bits. Bug bounty via HackerOne (public).
Encryption
TLS 1.3 in transit. AES-256 at rest. Per-tenant KMS keys in Cloudflare Workers Secrets + R2 SSE-KMS.
Identity
OAuth 2.1 + OIDC. MFA required for Owner, GM, and Biller roles. SSO available on Group plans via SAML / OIDC; SCIM provisioning included.
Network
Cloudflare-only. WAF + Bot Management on every tenant. Rate limiting per tenant + per route. mTLS for service-to-service.
Audit chain
Append-only, Merkle-rooted, HSM-signed. Each tenant can verify its own chain at /security/verify. We publish a daily proof of inclusion at /security/proof.
Incident response
Severity matrix with target times in the Trust Center. 72-hour notification to controllers of any unauthorized disclosure of tenant data.
Reporting a vulnerability
security@flashfender.com (PGP key at /security/pgp). We acknowledge within 24 hours and triage within 72 hours.
Third-party assessments
Quarterly vendor reviews. SBOM generated per release. Available to Group tenants with NDA via /security/sbom.
Looking for something specific? Email legal@flashfender.com — we read everything within 2 business days.