Security

Your Protection Is Our Priority

Transparent, verifiable security practices

How We Protect You

At EconChangers, security is not a marketing claim — it is a set of specific, auditable practices. This page describes exactly how we protect your data, your identity, and your investments. We believe you deserve to know the details.

SEC Reg CF CompliantTLS 1.3 EncryptedIdentity Protected

Data Encryption

In Transit

TLS 1.3

All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest transport layer security protocol. This prevents eavesdropping and tampering during transmission.

At Rest

Encrypted at Rest

Your data is stored in databases with provider-managed encryption at rest. Our infrastructure partner encrypts stored data to ensure it remains protected even in storage.

Secrets Management

Encrypted Vault

API keys, credentials, and sensitive configuration are stored in encrypted environment secrets, never in source code. Access is restricted by environment (development, production).

Authentication & Access Control

Centralized Identity via EconChangers

OAuth 2.0 / OIDC

FlockTank uses OAuth 2.0 / OpenID Connect via EconChangers as the sole identity provider. Your credentials are managed by EconChangers — FlockTank never stores passwords. This centralized approach means one secure account across all EconChangers properties.

Multi-Factor Authentication

TOTP + Passkeys

EconChangers supports multi-factor authentication including time-based one-time passwords (TOTP), passkeys, and recovery codes. MFA adds a critical second layer of protection to your account.

Role-Based Access Control

RBAC

Access to features and data is governed by your role (investor, entrepreneur, business owner, expert, admin). Each role has specific permissions, ensuring you only access what is appropriate for your account type.

Session Management

SSO / SLO

Sessions are managed with secure, httpOnly cookies. Active sessions are monitored in real time, and revocation propagates instantly via back-channel logout. Single sign-out ensures logging out of any EconChangers property ends your session everywhere. You can view and revoke active sessions through EconChangers.

Authentication Details

FlockTank delegates all authentication to EconChangers using industry-standard protocols. Below is a summary of how our authentication system works for transparency and security evaluator reference.

OAuth 2.0 Flow

1.Authorization Code + PKCE — FlockTank uses the Authorization Code flow with Proof Key for Code Exchange, the most secure OAuth 2.0 flow for web applications
2.Redirect URI Validation — Only pre-registered redirect URIs are accepted, preventing open redirect attacks
3.State Parameter — CSRF protection via cryptographically random state values on every authorization request

Token & Session Policy

Token Rotation — Refresh tokens are rotated on use; old tokens are invalidated to limit the window of exposure
Session Revocation — Sessions can be revoked from EconChangers at any time. Revocation propagates to all connected properties including FlockTank
Scopes — FlockTank requests only the minimum necessary scopes (profile, email, identity) following the principle of least privilege

CORS Policy

FlockTank operates under the shared econchangers.com parent domain, so all OAuth and SSO flows are same-site — eliminating cross-site cookie issues across browsers. Cross-origin requests are restricted to known EconChangers domains, and API endpoints do not accept credentials from unauthorized origins.

Infrastructure Security

Security Headers

CSP + HSTS

Responses include Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers to protect against common web vulnerabilities.

Rate Limiting

Multi-Layer

API endpoints are protected by multi-layer rate limiting to prevent abuse, brute-force attacks, and denial-of-service attempts. Limits are enforced per-IP and per-user.

Bot Prevention

Cloudflare Turnstile

Key forms and sensitive actions use Cloudflare Turnstile, a privacy-preserving challenge platform that helps prevent automated abuse without intrusive CAPTCHAs.

File Upload Validation

Multi-Check

Uploaded files undergo validation including type checking, size limits, and content verification to help prevent malicious file uploads.

Input Validation

Zod Schemas

User input is validated server-side using Zod schemas before processing. This helps prevent injection attacks, data corruption, and supports data integrity across the application.

Environment Separation

Isolated Environments

Development and production environments use separate databases, OAuth client credentials, API keys, and webhook endpoints. Demo environments cannot trigger real financial workflows such as KYC verification, escrow transactions, or payment processing.

Compliance & Auditing

SEC Regulation CF

Reg CF Compliant

FlockTank operates under SEC Regulation Crowdfunding (Reg CF). Investment limits are enforced server-side based on investor income and net worth, ensuring full regulatory compliance.

Audit Logging

Comprehensive Logs

Sensitive operations — including authentication events, investment actions, campaign changes, and administrative actions — are logged with timestamps, user identifiers, and contextual details for compliance and forensic purposes.

Identity Verification (KYC/KYB)

Third-Party KYC

Investor and business identity verification is conducted through our certified third-party partner. Documents are processed by the verification provider — FlockTank minimizes direct handling of sensitive identity documents.

Data Retention

Per SEC Requirements

Investment records and related compliance data are retained per SEC requirements. Our privacy policy details retention periods and your rights regarding your personal data.

Incident Response

We maintain a defined incident response process to quickly identify, contain, and remediate security events. Here is what you can expect from us if an incident occurs.

72 Hours

Maximum time to notify affected users after a confirmed data breach

48 Hours

Maximum time to acknowledge a reported security vulnerability

5 Days

Maximum business days to provide an initial assessment of a reported issue

Our Process

Identify and classify the incident severity
Contain the issue to prevent further impact
Investigate root cause and affected scope
Remediate the vulnerability and restore services
Notify affected users with clear, actionable guidance
Conduct post-incident review and apply lessons learned

Communication

Affected users will be notified via email with details about the incident, what data was involved, and recommended actions
We will provide regular updates until the incident is fully resolved
Public disclosure will follow responsible disclosure timelines after remediation
Post-incident reports will be shared with affected parties as appropriate

Vulnerability Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, we encourage you to report it responsibly. We appreciate your help in keeping our platform and users safe.

How to Report

Email security@econchangers.com
Include a detailed description of the vulnerability, steps to reproduce, and any proof-of-concept
Allow reasonable time for us to investigate and address the issue before public disclosure

Our Commitment

We will acknowledge your report within 48 hours
We will provide an initial assessment within 5 business days
We will not take legal action against good-faith security researchers
We will credit researchers who help us improve our security (with permission)

In Scope

Authentication and authorization flaws, data exposure, injection vulnerabilities, cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), and any issue that could compromise user data or platform integrity across flocktank.econchangers.com and related EconChangers properties.

Third-Party Security

Dependency Scanning

Automated

We use automated vulnerability scanning to monitor our software dependencies for known security issues. Critical vulnerabilities are patched promptly.

Security Reviews

Regular Reviews

Our codebase undergoes regular security reviews covering authentication flows, data handling, API security, and infrastructure configuration.

Responsible Disclosure

Safe Harbor

We support responsible security research. Our vulnerability disclosure program welcomes reports from the security community with commitments to acknowledgment, assessment timelines, and safe harbor protections.

Questions About Security?

If you have questions about our security practices or want to report a concern, we are here to help.

Contact Security Team General Contact

Loading content...