Built for finance teams who need receipts.
We are pre-formation but architecturally serious. Here is exactly what we have today, what is in progress, and what is on the roadmap.
Compliance posture
SOC 2 Type II in progress with a Type I report targeted within the pilot window. GDPR readiness on the roadmap. CCPA, HIPAA, and ISO 27001 are tracked but not yet certified. We will not claim what we have not earned.
Multi-tenant architecture
Per-tenant Postgres row-level security on every canonical table. Tenant context enforced at the API layer, the service layer, and the database. No shared mutable state across tenants.
Tenant isolation primitives
Per-tenant encryption keys, scoped API tokens, signed service-to-service calls, and privileged approval JWTs for sensitive admin actions. Zero-trust deployment templates available for cell-isolation setups.
Audit logs and decision trail
Every authorization decision, every policy change, every data access is journaled into an append-only audit log with cryptographic linkage. Exportable for SOX, SOC 2, or internal review.
Data residency and retention
US data residency by default with EU residency on request (Enterprise). Tenant-controlled retention policies. The default is 7 years for transaction data, 2 years for derived signals.
Opt-in shared fraud graph
You opt in or you do not. When you opt in, only k-anonymized vendor aggregates leave your tenant. Never raw transactions. Never user identifiers. Never amounts. The graph improves detection for everyone who participates.
Want a security review?
We will walk your security and compliance team through architecture, data flows, and incident response. Bring your hardest questions.