Security + compliance

The boring stuff.
Handled seriously.

No card data touches us. Charges run on your PCI-DSS Level 1 processor; multiflow orchestrates the ledger on top. SOC-2-aligned infra, US-only residency, TLS 1.3 end-to-end, per-entity audit log on every change.

0Card PANs stored at multiflow — ever
99.95%Monthly orchestration-API uptime SLO
15 minOn-call ack target on P1 alerts
7 yrImmutable per-entity audit log
PCI-DSS 4.0.1 Minimal scope
SOC 2 Type I · Type II in progress
GDPR + CCPA DPA on request
TLS 1.3 End-to-end, HSTS preload
AES-256 Encryption at rest

Compliance posture

Audit-ready on every framework your buyers request.

PCI-DSS 4.0.1

Live

SAQ D-SP service provider scope. Tokens only — no PAN. Attestation + memo under NDA.

SOC 2 Type II

In progress

Type I complete Q1 2026. Type II audit underway, target Q3 2026. Security · Availability · Confidentiality.

GDPR + CCPA

Live

DPA on request. US-only residency default. 30-day DSR + deletion workflow.

HIPAA

When applicable

Payment data is financial-exempt (45 CFR 164.501). No PHI stored. BAA on edge cases.

ISO 27001

On roadmap

Target Q1 2027. Already mapped to ISO 27002:2022 Annex A — pre-audit document available.

Card network rules

Live

Visa Core · Mastercard Chargeback · Amex OnePoint. Representment tracks current rulebooks.

Core controls

Every control your security team will ask about.

Zero card data retention

PCI-DSS scope stays on your processor. Tokens flow through multiflow; PANs never do.

TLS 1.3 + HSTS preload

Every parent ↔ sub-brand call encrypted in transit. HSTS preload list entry enforces HTTPS at browser level.

AES-256 at rest

Every row in the ledger encrypted. Per-row key envelope via AWS KMS. 90-day key rotation.

RBAC + least-privilege

Every role scoped to specific sub-brands. Permissions reviewed quarterly.

7-year audit log

Per-entity audit log on every settings change. SIEM-forwarded. Immutable archive.

Signed webhooks (HMAC-SHA256)

Every parent → sub-brand handoff signed. Idempotency keys + at-least-once retry.

MFA required

Every operator login. WebAuthn / FIDO2 hardware key support for privileged roles.

IP allowlisting

Per-sub-brand IP allowlists available for admin actions.

Rate limiting + anomaly detection

Every API endpoint. ML-based anomaly scoring on unusual traffic patterns.

Separation of duties

Production deploys require 2-engineer approval. DBA access gated behind break-glass escalation.

How data flows

Your card data never touches us.

1
Customer browser
Card entered

Direct from customer to the processor over TLS 1.3. Never routed through us.

2
PCI-DSS Level 1 processor
Tokenized

Stripe · Square · Authorize.net returns a token. PAN stays inside their PCI boundary.

3
multiflow orchestration
Receives token only

We set the per-brand descriptor, write the ledger row. No PAN, ever.

4
Your operator systems
Signed webhooks

CRM · CX · analytics get HMAC-signed event payloads — never card data.

Sub-processors

Every vendor we share your data with.

VendorPurposeData scopeRegion
AWSCompute, storage, KMSOrchestration data (encrypted)US
CloudflareCDN, WAF, DDoSRequest metadata, no payloadsGlobal edge
DatadogApplication monitoringMetrics + logs (PII redacted)US
Stripe / Square / Authorize.netPayment processing (yours)Full charge dataPer processor
SendGridTransactional emailOperator emails only, no customer dataUS
SentryError trackingErrors + stack traces (PII redacted)US
PagerDutyIncident alertingMetadata on incidents onlyUS
AWSUS

Compute · storage · KMS

Orchestration data, encrypted at rest.

CloudflareGlobal edge

CDN · WAF · DDoS

Request metadata only, no payloads.

DatadogUS

Application monitoring

Metrics + logs (PII redacted).

Stripe · Square · Authorize.netPer processor

Payment processing (yours)

Full charge data — PCI boundary lives here.

SendGridUS

Transactional email

Operator emails only — no customer data.

SentryUS

Error tracking

Errors + stack traces, PII redacted.

PagerDutyUS

Incident alerting

Metadata on incidents only.

Enterprise customers notified 30 days before any material change. DPA template available on request.

Incident response

When something goes wrong, this is what happens.

< 7 minMean time to detect
< 45 minMean time to resolve P1
24 / 7On-call paging via PagerDuty
QuarterlyTabletop + DR exercises
0 – 15 min

Detection + triage

Automated alerting (Datadog + PagerDuty). On-call engineer acknowledges within 15 minutes. Severity triaged P1 / P2 / P3 / P4.

15 – 60 min

Containment + communication

P1 containment deployed within 60 minutes. Status page updated. Affected operators notified via email + Slack.

1 – 24 hours

Resolution + monitoring

Fix deployed, monitoring confirms resolution. Affected operators receive all-clear notification.

72 hours

Post-incident review

Internal PIR. Root cause, timeline, impact, corrective actions documented. Customer-facing summary for material incidents.

Per-incident

Regulatory notification

GDPR 72-hour breach rule, CCPA 30-day, card network timeframes. Coordinated with operator legal teams when relevant.

Offensive testing

Continuous security validation

Quarterly3rd-party pentest
DailySnyk + Dependabot
WeeklyDAST on staging
AnnualRed-team (social + physical)
  • SAST + secret scanning on every commit
  • Reports under NDA for enterprise customers

Bug bounty

Paid disclosure program

$250 – $15kBounty range
Q3 2026HackerOne launch
90-daySafe-harbor timeline
*.multi-flow.proScope + orchestration API
  • Hall of fame for valid disclosures
  • Coordinated disclosure for critical findings

Business continuity

Availability targets and what happens if we miss them.

99.95%
Monthly uptime SLO on orchestration API
15 min
Recovery time objective (RTO) for core orchestration
60 sec
Recovery point objective (RPO) for ledger data
35 days
Point-in-time recovery window

Active-active across two AWS regions. Quarterly DR tests. Even in a full multiflow outage your processor keeps taking payments — our failure mode is orchestration lag, not payment failure.

Shared responsibility

What's on us vs. what's on you.

multiflow owns

Our responsibilities

  • Orchestration security + uptime
  • Sub-processor vetting + DPAs
  • Webhook signing + retry
  • Per-entity audit log + retention
  • AWS, network, encryption
  • Incident response coordination
  • SOC 2 · PCI scope · ISO roadmap

Operator owns

Your responsibilities

  • Sub-brand storefront security
  • Processor PCI (handled by Stripe/Square/A.net)
  • Team access · MFA · password hygiene
  • CRM + email data outside multiflow
  • Refund + dispute workflow decisions
  • FTC · FDA · state-level catalog compliance
  • Notifying your own customers

Trust center

Documents + attestations available on request.

SOC 2 Type I report

Available under NDA. Type II in progress.

Penetration test summary

Most recent quarter, under NDA.

PCI-DSS scope memo + SAQ D-SP

Service provider attestation.

DPA template

GDPR + CCPA ready, operator legal review.

Security whitepaper

Full architecture + controls overview. Available without NDA.

Insurance certificates

E&O + cyber liability coverage.

Request packet: security@multi-flow.pro · 48-hour turnaround for enterprise.

Security team ready
for your review.

Enterprise + regulated customers get direct access to our security team for RFP responses, questionnaires, and compliance syncs.

Start your application Contact security team

The Operator Briefing

Twice-monthly. No fluff.

Processor shutdowns, reserve-hold playbooks, reconciliation lessons, and the merchant-account decisions that save operators six-figure years. Delivered to your inbox — never spam.

No spam. Unsubscribe in one click.

We use essential cookies · Privacy