Security and trust are fundamental to everything we do. We design our systems, policies, and operations to safeguard customer data and ensure reliability at every level – from infrastructure to employee practices.
All our services run in the cloud. We do not operate our own routers, load balancers, DNS servers, or physical hardware.
Services and data are hosted in Amazon Web Services (AWS) facilities in the US only.
Our infrastructure benefits from the robust security, compliance, and physical protections provided by AWS. Learn more about AWS’s Shared Responsibility Model and security practices.
All our resources are contained within Virtual Private Clouds (VPCs) with network access control lists (ACLs) and security groups that prevent unauthorized requests from reaching our network. Resource-to-resource communication is also restricted.
All system activity is logged and auditable, providing visibility and accountability across our infrastructure.
Automated threat detection services continuously monitor cloud environments for suspicious activity and unauthorized behavior.
Customer data is encrypted at rest using an industry standard AES-256 encryption algorithm.
All data sent to or from our systems is encrypted in transit using 256-bit encryption.
We maintain strict separation between production and test environments – production data is never reproduced or used in testing.
Data access keys are stored separately from our source code repository and only available to the systems that require them.
We integrate with Unit Finance for industry-leading banking infrastructure and security. Unit Finance is SOC 2 Type II compliant and audited on an annual basis.
We utilize Auth0, an industry leader, for customer user authentication.
We require two-factor authentication (2FA) and strong password policies with our customer user authentication.
All public-facing APIs are secured using HTTPS to ensure encrypted communication between clients and our servers.
Access to public-facing APIs is controlled using OAuth 2.0, providing robust authentication and authorization to ensure that only authorized clients and users can access protected resources.
Automated services continuously monitor user activity and application performance.
A Web Application Firewall (WAF) protects against malicious traffic and common web exploits.
We take a proactive approach to securing our internal systems and workforce. We operate a zero-trust corporate network, and there are no corporate resources or additional privileges granted simply by being on the network.
All company devices use endpoint protection and encryption to safeguard data.
Multi-factor authentication (MFA) and strong password policies are enabled across all internal tools, systems, and third-party cloud services to ensure access is protected.
Access to sensitive systems and data is granted on a least-privilege basis and reviewed regularly. User and administrative actions are logged and auditable.
Our organizational security practices align with the NIST Cybersecurity Framework 2.0, providing structured risk management and consistent security controls across the company.
Our infrastructure is spread across three AWS data centers (availability zones) and will continue to operate even if one of those data centers fails unexpectedly.
We have a formal Disaster Recovery Plan with failover procedures that are tested periodically. We use a secure, automated backup solution for customer datastores and test backups regularly.
Automated build and deployment processes allow us to safely and quickly roll out changes while minimizing downtime and risk.
Our operations are built for resilience, supported by a documented Business Continuity Plan.
We have a formal procedure for managing security events and all staff are trained on our security policies.
If a security event is detected, it would be promptly escalated to appropriate teams who are notified and mobilized to rapidly address the event.
Following the resolution of a security event, a post-mortem analysis is prepared, reviewed in person, and disseminated across the organization. The analysis includes actionable recommendations to enhance the detection and prevention of similar events in the future.
Should a security break affect customer data, we would promptly notify the affected customers in writing which would include a description of the breach and the status of our investigation.
We have a formal Vendor Management Policy to carefully vet and monitor the security practices of our vendors and sub-processors.
All our critical vendors undergo regular security assessments and maintain independent SOC 2 reports.
We adhere to industry standards and regulatory requirements to ensure customer and data protection.
Our banking partner, Thread Bank, requires us to undergo an annual, rigorous security and compliance audit conducted by their independent auditor.
In addition to the safeguards provided by our banking partners, we maintain policies, procedures, and controls to ensure compliance with BSA/AML regulations.
Our employees are required to complete quarterly cybersecurity training and annual BSA/AML training.
We conduct background checks on all candidates selected for full-time employment in accordance with local regulations.
All our applications undergo annual penetration testing conducted by an independent party.
An independent party conducts an annual security assessment of our cloud hosting environment.
All findings are formally documented, remediated, and subsequently retested to ensure resolution.
If you have any questions or concerns about our security practices or compliance standing, please contact us at [email protected]. Our team reviews all inquiries and responds promptly.