Security & Compliance

Enterprise-grade security for sensitive financial data

We handle Social Security Numbers and financial data for regulated institutions. Security isn't a feature—it's the foundation of everything we build.

Compliance Certifications

🛡️

SOC 2 Type II

Annual audit of security, availability, and confidentiality controls

🏦

GLBA Compliant

Meets Gramm-Leach-Bliley Act requirements for financial data protection

📋

CCPA Ready

California Consumer Privacy Act compliance for data subject rights

Technical Security

How we protect your data

SSN Encryption

Social Security Numbers are encrypted with AES-256-GCM at rest. SSNs are decrypted only at DMDC lookup time and immediately zeroed from memory after use. SSNs are never logged or stored in plaintext.

Data in Transit

All data transmitted over TLS 1.3. HSTS enforced. Certificate pinning for mobile applications. API requests authenticated with short-lived JWT tokens.

Access Controls

Role-based access control with audit logging. Multi-factor authentication required for all accounts. Session timeout after 15 minutes of inactivity.

Audit Trail

Every action logged with timestamp, user, IP address, and before/after values. Immutable audit logs retained for 7 years. Tamper-evident storage.

Infrastructure Security

Hosted on AWS with VPC isolation. Database encryption at rest. Automated vulnerability scanning. 24/7 monitoring and alerting. Disaster recovery with RPO < 1 hour.

Penetration Testing

Annual third-party penetration tests. Continuous vulnerability scanning. Bug bounty program for responsible disclosure.

Operational Security

Security is a culture, not just technology

Our team follows strict operational security practices to ensure your data stays protected at every level.

  • Background checks for all employees with data access
  • Security awareness training quarterly
  • Principle of least privilege for system access
  • Encrypted laptops with remote wipe capability
  • Vendor security assessments before integration
  • Incident response plan with 24-hour notification SLA
Data Residency

Your data stays in the United States

All data is stored and processed in AWS US regions. We do not transfer data internationally. For Enterprise customers, we offer dedicated infrastructure options.

🇺🇸

US-East (Primary)

Primary data center in Virginia

🇺🇸

US-West (DR)

Disaster recovery in Oregon

🔒

No International Transfer

Data never leaves US soil

Need our security documentation?

We provide SOC 2 reports, penetration test summaries, and security questionnaire responses to qualified prospects.

Request Security Documentation