Program & Readiness

We’re aligning controls with the SOC 2 Trust Services Criteria and bank due-diligence standards.

• Policies & Governance: InfoSec policy suite, vendor risk, secure SDLC, incident response, BCP/DR.
• Evidence Automation: change approvals (git), CI/CD artifacts, access reviews, log retention (≥ 365d).
• Assessments: annual pen-test, quarterly vuln scans, IR drills, DR restore tests.

Authentication & Authorization

• SSO (SAML/OIDC) + mandatory MFA for console; short-lived tokens; refresh rotation.
• Least-privilege RBAC with scoped API keys (e.g., read:balances, read:transactions, admin:audit).
• Granular audit trails: principal, scope, resource, verb, status, latency, IP metadata.

Network & Data Protection

• TLS 1.2+ with modern ciphers; HSTS; webhook signing and replay protection.
• IP allowlists for bank partners; private connectivity options (VPN / private link) when required.
• AES-256 at rest (KMS/HSM); field-level protection; retention + secure deletion workflows.