Security & Compliance

Built to clear your second-line review.

The bar is not 'a good prototype.' The bar is your CISO's checklist, your AML team's monitoring spec, and the CBI inspection your bank actually faces. Here's how we map.

α

PCI-DSS scope: zero

We never touch a primary account number. Settlement happens entirely inside your core banking via authenticated bank-to-bank API.

β

Customer data minimization

We receive a customer reference token, not their identity. Identity is held by you. Data residency stays in-country.

γ

Cryptography

Mutual TLS to your settlement API. Per-transaction HMAC signatures with rotating keys. AES-256-GCM at rest. HSM-backed key storage.

δ

Auditable transaction log

Every state transition is hash-chained and exportable to your SIEM. Independent reconciliation against vendor receipts within T+1.

ε

Operational controls

ISO 27001 aligned. Quarterly penetration testing by an independent firm. SOC 2 Type II in progress, expected Q3.

ζ

AML & sanctions

Per-customer velocity limits, vendor-level concentration limits, daily sanctions list refresh, screening at authorization not capture.

Attestations & frameworks
PCI-DSS · scoped out by designISO 27001 · aligned, audit Q4SOC 2 Type II · in progressCBI 3rd-party guidance · mappedGDPR principles · adopted