The compliance pack, ready in one business day
Legal opinion, SOC 2 status, audit reports, attestations, DPA. Request under mutual NDA; receive a dataroom link with every document you need to close an eval.
What's in the pack
Everything your compliance, legal, and security reviewers typically ask for in week one. If an artifact is not listed here, ask, we'll either send it or explain why it doesn't apply.
FMA-approved base prospectus (Liechtenstein)
Base prospectus for the structured-note program, filed with and approved by the Liechtenstein Financial Market Authority (FMA), passportable across the EEA under the EU Prospectus Regulation. Covers governing law (Switzerland), risk factors, and the issuance program.
BVI and Cayman legal opinions
BVI legal opinion covering Flo Global Markets Ltd. as issuer entity, note issuance under the FMA-approved Liechtenstein Base Prospectus, and counterparty AML at the BVI layer. Cayman legal opinion covering Flo Capital SPC structure: bankruptcy remoteness, trust-like shareholding, independent director, note-holder entitlements, and MiCA interplay.
Custody letter
Written statement from our broker-dealer partners (Interactive Brokers and Alpaca Securities) detailing asset segregation, rehypothecation policy, and insurance coverage. Flo is non-custodial at the user layer: users self-custody their tokenized assets in their own wallets.
SOC 2 Type II report
Full attestation across Security, Availability, and Confidentiality trust services criteria. Type II report is in progress; Type I report available today.
Penetration test plan
Scope, scheduled testing windows, and chosen firm for initial and ongoing third-party pen tests across the API, dashboard, and onchain contracts. Executive summaries shareable post-test under NDA.
Smart contract audits
Reports from Sherlock, Halborn, Cantina, and Cyfrin covering mint/redeem, borrow, bridge, and fee collection contracts.
DPA + sub-processor list
Standard Data Processing Agreement, list of sub-processors, and our approach to data residency and deletion.
AML / KYC policy
Our issuer-level customer identification program, sanctions screening approach, suspicious activity escalation path.
Proof of reserves methodology
How we generate the Merkle root, attestation cadence, and the delta between broker books and onchain supply.
How the request works
Four steps, one business day end-to-end. We've streamlined this because most fintech compliance reviews stall on artifact access, not on content.
- 01
Email us the request
Tell us who you are, which artifacts you need, and what you're evaluating Flo for. Include a name + company from your company domain.
- 02
Countersign the NDA
Mutual NDA, no exotic clauses. If you need your own paper, we'll sign yours, typically within a few hours.
- 03
Receive the pack
Time-bound dataroom link with watermarking. Artifacts are versioned by ID, what you download matches what's listed on our Reports page.
- 04
Follow-up call (optional)
30 minutes with our compliance lead or our founder to walk through anything that's unclear. We prefer this over long email threads.
What you can see today, no NDA
Not everything requires an NDA. These are public and link directly from our Transparency pages.
Proof of reserves
Live Merkle root, onchain supply, and broker-book parity, all verifiable yourself.
Open reserves →Security overview
Audits, $250K bug bounty, MPC custody model, SOC 2 status, and incident response.
Read security →Reports & artifacts
Daily attestations, public audit reports, and artifact IDs you can cite in your own review.
Browse reports →Request the compliance pack
Email compliance@flo.finance.
Include your company name, your role, the artifacts you need, and the deadline. Expect a reply within one business day. For anything urgent, active eval, open RFP, say so in the subject line.