Trust & Security
FlowTrace Security
We protect accounts, case data, and payment state with least privilege, encrypted transport, server-side authorization, and auditable administrative controls.
Account and case protection
Web sessions use Secure, HttpOnly cookies, and state-changing requests validate both CSRF tokens and Origin. Case and export ownership is enforced server-side, while administrative access also requires time-limited TOTP MFA.
Payments and custody boundary
Payment webhooks must pass provider signature and order validation before membership changes. FlowTrace does not store private keys, custody customer assets, or recover funds on a customer’s behalf.
Vulnerability reporting
Report potential security issues to [email protected] with reproduction steps, affected URLs, and likely impact. Do not access, download, or alter data that does not belong to you.