Updated March 2026

The compliance pack — ready in one business day

Legal opinion, SOC 2, pen tests, attestations, DPA. Request under mutual NDA; receive a dataroom link with every document you need to close an eval.

What's in the pack

Everything your compliance, legal, and security reviewers typically ask for in week one. If an artifact is not listed here, ask — we'll either send it or explain why it doesn't apply.

Cayman legal opinion

From our Cayman counsel, covering SPV structure bankruptcy remoteness, trust-like shareholding and independent director arrangement, note holder entitlements, and MiCA interplay.

Custody letter

Written statement from our qualified custodian detailing asset segregation, rehypothecation policy, and insurance coverage.

SOC 2 Type II report

Full attestation across Security, Availability, and Confidentiality trust services criteria. Type II report is in progress; Type I report available today.

Penetration test reports

Most recent external pen tests across the API, dashboard, and onchain contracts. Executive summary and remediation status included.

Smart contract audits

Reports from Sherlock, Hellborn, and Cantina covering mint/redeem, borrow, bridge, and fee collection contracts.

DPA + sub-processor list

Standard Data Processing Agreement, list of sub-processors, and our approach to data residency and deletion.

AML / KYC policy

Our issuer-level customer identification program, sanctions screening approach, suspicious activity escalation path.

Proof of reserves methodology

How we generate the Merkle root, attestation cadence, and the delta between broker books and onchain supply.

How the request works

Four steps, one business day end-to-end. We've streamlined this because most fintech compliance reviews stall on artifact access, not on content.

  1. 01

    Email us the request

    Tell us who you are, which artifacts you need, and what you're evaluating Flo for. Include a name + company from your company domain.

  2. 02

    Countersign the NDA

    Mutual NDA, no exotic clauses. If you need your own paper, we'll sign yours — typically within a few hours.

  3. 03

    Receive the pack

    Time-bound dataroom link with watermarking. Artifacts are versioned by ID — what you download matches what's listed on our Reports page.

  4. 04

    Follow-up call (optional)

    30 minutes with our compliance lead or our founder to walk through anything that's unclear. We prefer this over long email threads.

What you can see today — no NDA

Not everything requires an NDA. These are public and link directly from our Trust pages.

Proof of reserves

Live Merkle root, onchain supply, and broker-book parity — all verifiable yourself.

Open reserves →

Security overview

Audits, $500K bug bounty, MPC custody model, SOC 2 status, and incident response.

Read security →

Reports & artifacts

Monthly attestations, public audit reports, and artifact IDs you can cite in your own review.

Browse reports →

Request the compliance pack

Email compliance@flo.finance.

Include your company name, your role, the artifacts you need, and the deadline. Expect a reply within one business day. For anything urgent — active eval, open RFP — say so in the subject line.

Trust overviewBook 30 min with founder