Security

Last updated: February 13, 2026

At fliMessage, security is foundational to everything we build. When you trust us with your travel plans and personal information, we take that responsibility seriously.

Data Encryption

  • In transit: All data is encrypted using TLS 1.2+ (HTTPS) between your device and our servers.
  • At rest: Sensitive data including payment information and personal details are encrypted using AES-256.
  • SMS messages: Transmitted through Twilio's secure infrastructure with carrier-grade encryption.

Payment Security

fliMessage never stores your full credit card numbers on our servers. All payment processing is handled by PCI DSS Level 1 compliant partners. Card data is tokenized at the point of entry and we only retain secure tokens for transaction processing.

Infrastructure

  • Hosted on SOC 2 Type II compliant cloud infrastructure
  • Automated backups with geographic redundancy
  • DDoS protection and web application firewall (WAF)
  • Continuous monitoring and automated alerting for anomalies
  • Regular penetration testing and vulnerability scanning

Access Controls

  • Role-based access control (RBAC) for all internal systems
  • Multi-factor authentication required for all team members
  • Principle of least privilege: team members only access data necessary for their role
  • Audit logging on all access to customer data

SMS Security

We are registered with The Campaign Registry (TCR) for A2P 10DLC messaging compliance. Our messaging practices follow CTIA guidelines and TCPA regulations. We never send unsolicited messages and maintain strict opt-in/opt-out protocols.

  • All SMS sent through verified, registered phone numbers
  • STOP/HELP keyword processing handled automatically
  • No sharing of phone numbers with third-party marketers
  • Message content never includes sensitive data like full card numbers

Data Handling

  • Personal data is only collected for the purposes described in our Privacy Policy
  • Data retention policies ensure we only keep data as long as necessary
  • Account deletion requests are processed within 30 days
  • We do not sell personal data to third parties

Incident Response

We maintain a documented incident response plan. In the unlikely event of a data breach, we will notify affected users and relevant authorities within 72 hours, in compliance with applicable regulations including the CCPA/CPRA.

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly to hello@flimessage.com. We appreciate the security research community and will acknowledge valid reports promptly.

Questions

For security-related questions, contact us at hello@flimessage.com.