Trust center

Everything operators need
to sign off.

One page for every security, compliance, data residency, audit, sub-processor, and uptime question that shows up in procurement. Download the packet, send to legal, get the sign-off. No NDA for the first four documents.

SOC 2 Type I PCI DSS L1 GDPR / CCPA HIPAA N/A · BAA on edge
SOC 2Type I complete · Type II aligned
PCI DSSLevel 1 inherited via acquirer partners
99.97%Trailing-12-month orchestration uptime
US-onlyData residency. AWS us-east-1 + us-west-2

Six pillars

Every domain your security review covers.

01

01 — Security architecture

Encryption + access controls

Defense-in-depth across every layer of the orchestration stack. Card data never crosses our boundary.

  • TLS 1.3 end-to-end on every parent → sub-brand call. HSTS preload list enforced.
  • AES-256 at rest for every ledger row. Per-row envelope encryption via AWS KMS. 90-day key rotation.
  • Key rotation automated; CMKs tracked, expired keys quarantined, never reused.
  • MFA required for every portal login. WebAuthn / FIDO2 hardware keys supported for privileged roles.
  • Signed webhooks (HMAC-SHA256) on every handoff. Idempotency keys + retry with backoff.
02

02 — Data privacy

GDPR + CCPA + residency

Privacy-by-default. Data minimization, purpose limitation, and a 30-day DSR workflow baked in.

  • GDPR aligned — Article 28 processor obligations, Art. 32 security measures, 72-hour breach notification.
  • CCPA / CPRA aligned — consumer rights requests honored within statutory windows.
  • DPA template available on request — operator legal review, no gate.
  • Data residency US-only — AWS us-east-1 + us-west-2 active-active, no cross-border transfer.
  • Data minimization — orchestration ledger stores only the fields required to reconcile.
03

03 — Compliance inheritance

PCI DSS Level 1 + SOC 2

Card data stays inside regulated processor boundaries. multiflow sits on top as SAQ D-SP service provider.

  • PCI DSS Level 1 inherited via acquirer partners (Stripe, Square, Authorize.net). No PAN on our infrastructure.
  • SOC 2 Type I complete. Type II audit underway — target Q3 2026. Trust Services Criteria: Security + Availability + Confidentiality.
  • SAQ D-SP attestation available under NDA for enterprise review.
  • ISO 27001 pre-audit documentation available. Full certification on 2027 roadmap.
  • HIPAA not applicable — payment data is financial-exempt under 45 CFR 164.501. BAA on edge cases.
04

04 — Uptime + reliability

99.97% T12M, public status

Active-active across two AWS regions. Even in a full multiflow outage your processor keeps taking payments.

  • 99.97% uptime — trailing 12 months on the orchestration API.
  • Public status pagemulti-flow.pro/status — real-time incidents + 90-day history.
  • Incident response SLA — 15-minute P1 ack, 60-minute containment, 72-hour post-incident review.
  • RTO 15 min · RPO 60 sec — failover tested quarterly.
  • 35-day PITR — point-in-time recovery window on ledger data.
05

05 — Audit logs + access

Per-brand trail, quarterly review

Every settings change, login, and API action is logged at the per-brand level. SIEM-forwarded, immutable, 7-year retention.

  • Per-brand audit trail — every ledger mutation tagged with actor, timestamp, source IP, and diff.
  • Role-based access (RBAC) — every role scoped to specific sub-brands. Least-privilege enforced.
  • Quarterly access review — operator-initiated; stale roles auto-flagged.
  • 7-year immutable archive — appended to WORM storage, cryptographically signed.
  • Exportable — operators can pull their own audit log via API at any time.
06

06 — Sub-processor transparency

Full vendor list, 30-day notice

Every third party that touches any slice of your operational data, named and scoped. 30-day advance notice on material changes.

  • Full list at /sub-processors/ — AWS, Cloudflare, Datadog, Sentry, SendGrid, PagerDuty, processor partners.
  • Purpose + data scope documented per vendor.
  • 30-day advance notice on additions or material scope changes (enterprise tier).
  • Vendor DPAs in place with every sub-processor that touches customer data.
  • Annual vendor security review — SOC 2s re-collected, scoped access re-validated.

Certifications + attestations

The badges your audit team already knows.

SOC 2 Type I

Complete · 2026

PCI DSS L1

Inherited · SAQ D-SP

GDPR Art. 28

DPA · 72h breach

CCPA / CPRA

Service provider terms

ISO 27001

Pre-audit · 2027

HIPAA BAA

Edge-case coverage

Download packet

Procurement packet — send straight to legal.

Four documents, no form, no gate. If you need the SOC 2 report itself, request under NDA at security@multi-flow.pro.

Security whitepaper

Full architecture, controls catalog, data-flow diagram. No NDA required.

PDF~1.8 MB · 28pp
Download PDF →

DPA template

GDPR Article 28 + CCPA service provider terms. Operator-ready.

PDF~420 KB · 12pp
Download PDF →

SOC 2 readiness letter

Auditor attestation of Type II readiness. Type I report under NDA.

PDF~180 KB · 3pp
Download PDF →

PCI compliance memo

SAQ D-SP scope summary + inherited Level 1 coverage explanation.

PDF~310 KB · 6pp
Download PDF →

Procurement FAQ

Ten questions your security review always asks.

No. Card PANs never cross the multiflow boundary. Your PCI DSS Level 1 processor tokenizes the card at entry; multiflow receives the token only, writes the per-brand ledger row, and sets the descriptor. Our PCI scope is SAQ D-SP (service provider) — we never handle, transmit, or store PAN data.

Exclusively in the United States. Primary region AWS us-east-1, active-active failover to us-west-2. No data leaves US borders. Cross-border access restricted at the network boundary. US residency is default and non-negotiable.

Yes — Type I report available under NDA, usually within 48 hours for enterprise procurement. Type II audit is underway with a Big Four firm, target delivery Q3 2026. SOC 2 readiness letter is downloadable above without NDA.

P1 acknowledgement within 15 minutes, containment deployed within 60 minutes, public status-page update within 30 minutes of P1 confirmation, customer-facing post-incident review published within 72 hours. Regulatory notifications (GDPR 72h, CCPA 30d, card network timeframes) handled in coordination with operator legal teams.

30-day turnaround on GDPR / CCPA access, portability, deletion, and correction requests. Operators route end-customer requests to us through a dedicated endpoint; we verify, execute, and return the confirmation artifact back to the operator for their records.

Yes. Our DPA is Article 28 processor terms + CCPA service provider terms + SCCs where relevant. Template above is download-ready. Enterprise operators can redline; we countersign within 5 business days for standard terms.

AWS (compute / storage / KMS), Cloudflare (CDN / WAF), Datadog (observability), Sentry (error tracking), SendGrid (transactional email, operator-only), PagerDuty (incident alerting). Full list with purpose + data scope at /sub-processors/. 30-day advance notice on material changes.

Quarterly 3rd-party pentest (rotating firms). Daily SCA (Snyk + Dependabot). Weekly DAST against staging. Annual red-team including social + physical. SAST + secret-scanning on every commit. Most-recent pentest summary available under NDA.

TOTP (authenticator app) required on every portal account. WebAuthn / FIDO2 hardware keys (YubiKey, Titan, Apple Passkeys) required for privileged roles. SMS-based codes are not supported — deprecated per NIST SP 800-63B guidance.

Email security@multi-flow.pro. Enterprise accounts get a named security point-of-contact, quarterly compliance syncs, and RFP / questionnaire turnaround within 48 hours. Vulnerability reports routed through the same inbox; safe-harbor policy applies to good-faith research.

Security review pending?
Our team is standing by.

Send RFPs, questionnaires, vendor forms, or NDA requests to security@multi-flow.pro — or book a security-architecture review with the team.

Contact security team Deep-dive security page

The Operator Briefing

Twice-monthly. No fluff.

Processor shutdowns, reserve-hold playbooks, reconciliation lessons, and the merchant-account decisions that save operators six-figure years. Delivered to your inbox — never spam.

No spam. Unsubscribe in one click.

We use essential cookies · Privacy