Security & Compliance
We run the money layer. Security is the product.
Subcontractor Audit operates inside financial-services posture. Below is the public snapshot of controls, subprocessors, and roadmap milestones. For engagement diligence we provide a complete security packet under NDA.
Roadmap
SOC 2 Type II in progress.
Readiness assessment underway with an independent auditor. Targeting Type II attestation within the current calendar year. Customers on active engagements receive progress updates.
Controls.
Encryption at rest
AES-256 on every document and ledger entry. Object storage keys rotated on a scheduled cadence. Database backups encrypted with a separate KMS-managed key.
Encryption in flight
TLS 1.3 enforced across every ingress, including internal service traffic. HSTS preload and certificate pinning on the operator console.
Data residency
All customer data stored in US regions. No cross-border replication by default. Regional isolation available for enterprise engagements.
Least privilege access
Role-based access controls across operator, GC, sub, owner, and lender tiers. Session audit logs retained for seven years. Quarterly access reviews.
Four-eyes money movement
Every disbursement requires independent initiation and approval. Threshold-based escalation adds a third reviewer on high-value transactions.
Penetration testing
Annual third-party penetration test plus continuous internal vulnerability scanning. Findings triaged against a published SLA.
Subprocessors.
Vendors with access to customer data. Each is bound by a data processing agreement and reviewed on an annual cadence.
| Vendor | Purpose | Region |
|---|---|---|
| Modern Treasury | Payment orchestration, ACH and wire rails | US |
| Plaid | Bank account verification and balance signals | US |
| Cloudflare R2 | Document and evidence object storage | US |
| Resend | Transactional email for magic-link and notification | US / EU |
| Anthropic | AI-assisted document extraction (no data used for training) | US |
Questions from security or legal?
Reach our security team directly at [email protected].
Start a diligence conversation