Security
How we protect accounts and payments, how you can protect yourself, and how to report a vulnerability.
1. Our Approach to Security
Funded with Flow L.L.C. (Funded with Flow, the Platform, we, us) takes the security of our platform and our users seriously. This Security Statement describes security controls we have in place and the steps you can take to help protect your account.
This statement describes our practices in good faith and reflects only controls we can confirm. It is not a warranty or guarantee of security, and no method of transmission or storage is perfectly secure.
2. Account Protection and Your Responsibility
Protecting your account is a shared effort, and your actions matter. We recommend that you:
- Use a strong, unique password that you do not reuse on other services;
- Keep your credentials confidential and never share them;
- Sign out when using shared or public devices; and
- Promptly report any suspected unauthorized access.
You are responsible for maintaining the confidentiality of your credentials and for activity that occurs under your account.
3. Encrypted Connections and Session Security
Traffic to and from the Platform is protected in transit using TLS/HTTPS, delivered through our content-delivery and edge provider. This helps protect data as it travels between your device and the Platform.
Authenticated access uses session cookies. We apply protections appropriate to session-cookie authentication to help guard your signed-in session.
4. API and MCP Key Safety
API and MCP keys are handled with safeguards designed to limit risk:
- Keys are stored as cryptographic hashes (HMAC), never in plaintext, and are shown only once at creation;
- Keys are scoped to your own account, with read-only access by default and trade-execution permission gated behind opt-in controls;
- Keys are revocable and rate-limited.
You are responsible for keeping your keys secret, rotating them periodically, and revoking any key that may have been exposed. See our API Terms and AI, MCP & Automation Terms for details.
5. Secure Payment Handling
Card payments are processed by Stripe, our payment processor. Stripe handles cardholder data, and PCI compliance for card processing is Stripe's responsibility. The Platform does not store full payment card numbers. Please review Stripe's practices for details on how card data is handled.
6. Monitoring and Audit Logging
We log and monitor activity across the Platform, including authentication events and API/MCP access, to help detect, investigate, and respond to security incidents and misuse. Logs are retained for safety, debugging, security, and compliance purposes.
7. Administrative Access Controls
Administrative access to the Platform is role-restricted and limited to authorized personnel based on their role. Administrative actions are subject to audit logging to support accountability and incident investigation.
8. Reporting a Security Concern
If you discover a potential vulnerability or security issue, please report it responsibly to [email protected].
When reporting, please include enough detail for us to reproduce and assess the issue, and avoid accessing, modifying, or destroying data that does not belong to you. We appreciate good-faith reports and will review them promptly.
9. User Security Best Practices
To help keep your account secure, we recommend that you:
- Use a strong, unique password and a reputable password manager;
- Keep your devices, browsers, and operating systems up to date;
- Be alert to phishing and never enter your credentials on untrusted sites;
- Sign out on shared or public devices;
- Grant API/MCP scopes only as needed and revoke unused keys; and
- Test automation in paper mode before enabling any trade-execution permission.