Your customers, your orders, your money — locked down.

Certifications & attestations

• PCI DSS Level 1

  Audited annually. Zero exceptions on our most recent report.

• SOC 2 Type II

  Continuous attestation across security, availability, confidentiality.

• GDPR / UK-GDPR

  EU + UK data residency. DPAs available on every plan.

• HIPAA

  Available on Enterprise. BAA executed at signing.

Card data & tokenization

We never see raw card data. PANs are tokenized inside a hosted iframe sandboxed from your storefront's JavaScript. Tokens are scoped per processor and per merchant ID — a token issued for one processor cannot be replayed on another.

3DS2 is applied automatically based on issuer signals and our risk model. Step-up is invisible to ~94% of shoppers; the other 6% see a one-tap challenge.

Infrastructure

• AWS us-east-1, eu-west-1, ap-southeast-1 — single-tenant VPCs per Enterprise customer if required.
• All data encrypted at rest (AES-256) and in transit (TLS 1.3 minimum).
• Per-tenant KMS keys. You can revoke at any time; we lose access immediately.
• 99.99% uptime SLA on Enterprise. Status page at status.growthflowline.com.
• Hot standby in a second region. RPO ≤ 30s, RTO ≤ 5m.

Access control

SSO via SAML 2.0 + SCIM provisioning on Pro and Enterprise. Audit logs are append-only and retained 90 days (Pro) or indefinitely (Enterprise). Every workspace ships with role-based access controls — Admin, Operator, Finance, Support, Read-only — and you can define custom roles.

Vulnerability disclosure

Security researchers — please email security@growthflowline.com. We respond within one business day, scope and reward via our private HackerOne program. Safe-harbor terms apply for good-faith research.

The trust portal

Our public trust portal hosts our SOC 2 report, PCI AOC, pen-test summaries, sub-processor list, and the current security questionnaire pre-filled. No NDA required for the summaries. Full reports under NDA — request access in one click.