Security and operational discipline are the foundation we build on. Here’s exactly how it works.
All client data is encrypted at rest using AES-256 with rotating keys. In transit, we use TLS 1.3 with HSTS and certificate pinning across all client endpoints. Sensitive fields (such as identification documents) are encrypted at the field level, separately from the main database.
Two-factor authentication is mandatory for every client account. We support TOTP applications (Google Authenticator, Authy, 1Password) as well as hardware security keys via WebAuthn. Recovery is via verified email plus a manual identity check.
Client capital is held in segregated accounts at regulated prime brokers in tier-1 jurisdictions. The accounts are structurally separated from Flovestium’s operating capital — meaning that even in the unlikely event of a company-level insolvency, client capital remains intact and recoverable.
We are audited annually under SOC 2 Type II by an independent third-party firm. We hold ISO 27001 certification for our information security management system. We are fully GDPR-compliant, with EU-only data residency for client personal data.
We run continuous third-party penetration testing and a public bug bounty programme. Unusual account activity triggers real-time alerts both to the client and to our compliance team. Withdrawal requests above certain thresholds require additional verification.