Documentation

Security One-Pager

Quick-reference for vendor risk assessments. Everything procurement needs, on one page.

Technical Controls

Data Isolation

Postgres RLS

Per-issuer policies on every table

Encryption at Rest

AES-256-GCM

Per-issuer keys, HSM-backed (FIPS 140-3)

Encryption in Transit

TLS 1.3

HSTS enforced, mTLS for internal RPCs

Authentication

WebAuthn / FIDO2

JWT sessions, refresh-token rotation, MFA for admin

AI for MNPI

Vertex AI VPC

Customer-isolated, no training, no third-party access

AI for Public Data

Gemini API

Maximum accuracy on public-record documents

Audit Trail

Immutable

Append-only, before/after snapshots, IP + timestamp

Forward Secrecy

ML-KEM Hybrid

Optional post-quantum mode for Enterprise

Compliance Posture

SOC 2 Type II

In progress · evidence available NDA

GDPR

Processor role, SCCs available

CCPA / CPRA

Compliant, no sale of data

Subprocessors

Vercel · Supabase · GCP · Resend · Sentry

Hosting region

United States (multi-AZ)

Data residency

US default, EU available on Enterprise

Breach notification

72 hours from confirmed identification

Penetration testing

Annual, third-party

BCP / DR

RPO 24h · RTO 4h, documented runbook

Need More?

SOC 2 evidence package available under NDA.

Standard security questionnaire response, architecture diagrams, subprocessor list, incident-response runbook, and the signed Attestation Letter.

Email Security Team

Security Whitepaper Attestation Letter Security Statement Compliance Data Processing