Security + compliance

The boring stuff.
Handled.

multiflow never stores card data. Every charge runs on your existing PCI-DSS Level 1 processor — Stripe, Square, or Authorize.net — and we sit on top, orchestrating the ledger. Your compliance surface stays exactly where it already is. The reporting and reconciliation layer we own runs on SOC-2-aligned infrastructure with US-only data residency.

No card data stored — PCI-DSS stays on your processor (Stripe, Square, Authorize.net)
TLS 1.3 end-to-end on every parent ↔ child call; HSTS preload
Role-based access; per-entity audit log on every settings change
SOC-2 Type II on the roadmap; current controls audit-ready
US-only data residency; optional EU mirror available
Signed webhooks on every parent → child status handoff; retries with idempotency keys

The boring stuff.Handled.

The boring stuff.
Handled.