Bank-grade security, by design.
We hold your most sensitive business and personal data. Here's exactly how we protect it — and how you can verify our claims.
Controls
Six layers of protection.
Encryption everywhere
TLS 1.3 for data in transit. AES-256 for data at rest. Keys rotated quarterly and managed via a hardware security module.
Multi-factor authentication
MFA required on every employee account. Customer accounts support TOTP and WebAuthn passkeys.
Hardened infrastructure
U.S.-only data centers with SOC 2 / ISO 27001 hosting partners. Private VPCs, no public database exposure.
Continuous monitoring
24/7 SIEM with automated alerting. Anomaly detection on logins, data access, and API behavior.
Least-privilege access
Role-based access controls. Quarterly access reviews. Just-in-time elevation for production systems.
Incident response
Tested playbooks, on-call rotation, and contractual breach notification within 72 hours where applicable.
Operational practices
What we do every day.
- Annual third-party penetration tests with executive summaries available under NDA
- Quarterly internal vulnerability scans and remediation SLAs
- Mandatory annual security training for all employees and contractors
- Vendor security reviews before onboarding any subprocessor
- Encrypted backups with regular restore testing
- Production data never copied to staging or developer machines
Responsible disclosure
Found a vulnerability? Tell us.
We welcome reports from independent security researchers. Submit findings to [email protected] with steps to reproduce. We acknowledge within 24 hours and triage within 3 business days. Acting in good faith and within scope, we will not pursue legal action.
Need our compliance documentation?
SOC 2 Type II report, penetration test summary, and security questionnaires are available to customers and partners under NDA.
Request documents