1. Our Approach
Cash Flow Optimizer is built around the principle that your business and financial data belongs to you. We protect it using widely adopted industry-standard practices: strong encryption, least-privilege access, continuous monitoring, and reputable cloud infrastructure. This page summarizes those practices in plain language and is meant to be read alongside our Privacy Policy, Terms of Service, and License Agreement.
2. Data Encryption
All customer data is encrypted both in transit and at rest:
- In transit: TLS 1.2 or higher for every connection between your browser and our servers.
- At rest: AES-256 encryption applied to databases, backups, and file storage on managed cloud infrastructure.
- Secrets: API keys and credentials are stored in a managed secret store and never exposed in client-side code.
3. Infrastructure
Cash Flow Optimizer runs on enterprise-grade managed cloud infrastructure operated by reputable providers whose underlying data centers maintain industry certifications such as SOC 2 Type II and ISO 27001. Hosting providers handle physical security, network isolation, and platform-level patching, while we manage our application configuration, access policies, and customer data.
4. Access & Authentication
Access to customer data is restricted to authorized personnel on a need-to-know basis using least-privilege principles.
- Multi-factor authentication (MFA) is supported for all user accounts and strongly recommended.
- Role-based access controls let you decide who on your team can view, edit, or administer specific data.
- Internal access by our team is limited to support, debugging, and operational needs, and is logged.
5. Backups & Availability
Customer data is continuously backed up by our managed infrastructure provider. Backups are encrypted and retained for operational recovery purposes. While we strive for high availability, no online service can guarantee 100% uptime; planned maintenance and unforeseen incidents may briefly affect access.
6. Application Security
- Dependencies are monitored for known vulnerabilities and updated regularly.
- Server-side validation and parameterized queries are used to mitigate common web risks.
- Authentication tokens are scoped, expire, and can be revoked.
- Audit logging captures key account, billing, and administrative events.
7. Your Responsibilities
The strongest platform controls cannot replace good account hygiene. We ask that you:
- Use a unique, strong password and enable MFA on your account.
- Only invite collaborators you trust and remove access promptly when it is no longer needed.
- Keep your devices and browsers up to date.
- Report any suspicious activity in your account immediately.
8. Responsible Disclosure
We welcome reports from security researchers and customers. If you believe you have discovered a vulnerability:
- Submit a report through our Contact page with steps to reproduce.
- Give us a reasonable period to investigate and remediate before any public disclosure.
- Do not access, modify, or exfiltrate data that is not your own, and do not perform testing that could degrade the service for other users.
We will acknowledge valid reports promptly and keep you informed as we investigate.
9. Updates to This Page
Our security practices evolve as the platform grows. We may update this page from time to time and will revise the "Last Updated" date at the top when we do.
10. Contact
Questions about security or this page? Reach us via the Contact page. For privacy questions, see our Privacy Policy.