Security & Compliance

Enterprise-grade security for sensitive financial data

We handle Social Security Numbers and financial data for regulated institutions. Security isn't a feature. It's the foundation of everything we build.

Compliance Certifications

SOC 2 Type II (Roadmap)

Pre-SOC 2, targeting 2026. Systems and processes built to SOC 2 standards

Built to GLBA Standards

Information security program designed to Gramm-Leach-Bliley Act standards for financial data protection

CCPA Ready

California Consumer Privacy Act compliance for data subject rights

Technical Security

How we protect your data

SSN Encryption

Social Security Numbers are encrypted with AES-256-GCM at rest. SSNs are decrypted only at DMDC lookup time and immediately zeroed from memory after use. SSNs are never logged or stored in plaintext.

Data in Transit

All data transmitted over TLS 1.3. HSTS enforced. API requests authenticated with short-lived JWT tokens.

Access Controls

Role-based access control with audit logging. Session timeout after 30 minutes of inactivity. Secure, HTTP-only session cookies in production.

Audit Trail

Every action logged with timestamp, user, IP address, and before/after values. Append-only audit design with logs retained for 7 years.

Infrastructure Security

US-based cloud infrastructure with network isolation. Database encryption at rest. Automated vulnerability scanning. Monitoring and alerting. Automated daily backups with disaster recovery.

Security Testing

Internal security assessment completed with all findings resolved. Continuous vulnerability scanning. Responsible disclosure policy: contact security@civrel.io.

Operational Security

Security is a culture, not just technology

Our team follows strict operational security practices to ensure your data stays protected at every level.

  • Background checks for all employees with data access
  • Security awareness training quarterly
  • Principle of least privilege for system access
  • Encrypted laptops with remote wipe capability
  • Vendor security assessments before integration
  • Incident response plan with 24-hour notification SLA
Data Residency

Your data stays in the United States

All data is stored and processed in US-based data centers. We do not transfer data internationally. For Enterprise customers, we offer dedicated infrastructure options.

US-East (Primary)

Primary data center in Virginia

Automated Backups

Daily automated backups with 7-day retention

No International Transfer

Data never leaves US soil

Need our security documentation?

We provide security architecture documentation and security questionnaire responses to qualified prospects.

Request Security Documentation