Work in progress

Security & Compliance

The security
your compliance
officer demands

Onboarding Express is engineered for institutions where a security lapse is a regulatory event. Every layer — infrastructure, encryption, access control, audit logging — is designed to satisfy your examiner, not just your IT team.

Request Security Documentation View Compliance Matrix
SOC 2
Type II Certified
AES-256
Encryption Standard
ESIGN & UETA
All 50 States
99.9%
Uptime SLA
SOC 2 Type II
Active

Independently audited against all five AICPA Trust Service Criteria. Type II means our controls have been tested over time — not just evaluated on paper.

Includes
Annual independent re-audit
Full report available under NDA
Requested by 73%+ of enterprise buyers
ESIGN & UETA
Compliant

All signatures satisfy the four legal requirements of the ESIGN Act and UETA — giving them the same legal standing as handwritten signatures in all 50 states plus DC.

Includes
Tamper-evident document sealing
Full signer intent audit trail
Voice Sign biometric authentication
ISO 27001
In Progress

ISO 27001 certification is underway. Controls gap analysis is complete and our ISMS is in place ahead of the Q3 2026 certification audit.

Status
Gap analysis complete
ISMS documentation in place
Audit scheduled Q3 2026

Infrastructure & Data Security

Bank-level security at every layer

Defense-in-depth across encryption, access control, infrastructure, and operations — every system built around protecting sensitive financial data.

Encryption at Rest

All stored data encrypted using AES-256. Database-level encryption applied to every record, with keys managed through a dedicated KMS and rotated on a defined schedule.

Encryption in Transit

TLS 1.3 enforced across all endpoints. Legacy TLS versions disabled. HSTS headers with preloading prevent protocol downgrade attacks.

Role-Based Access Controls

Granular RBAC allows admins to define exactly what each user can view, edit, approve, or export. No user ever accesses data outside their defined scope.

SSO & Multi-Factor Auth

SAML 2.0 SSO with Okta, Azure AD, and OneLogin. MFA enforced for all admin accounts. TOTP support for institutions without enterprise identity providers.

Annual Penetration Testing

Independent third-party pen tests annually. Critical findings remediated within 72 hours. Results available to qualified prospects under NDA.

US-Only Cloud Infrastructure

Hosted in SOC 2-certified US data centers with redundant availability zones, automated failover, and 99.9% uptime SLA. Data never leaves US borders.

Regulatory Compliance

Every regulation mapped to a platform capability

These aren't compliance claims — they're specific platform features mapped directly to examiner requirements. No workarounds, no manual processes bolted on.

Regulation
Platform Capability
KYC / CIP
Bank Secrecy Act

Configurable identity verification workflows capture all CIP-required data fields. Conditional logic routes high-risk customers to Enhanced Due Diligence automatically. Identity document collection and secure storage built in.

AML / BSA
FinCEN / PATRIOT Act

Structured workflows enforce consistent AML screening steps across all customer types. Immutable audit logs record every onboarding action, supporting BSA program documentation requirements for examiner review.

CDD
FinCEN CDD Rule

Beneficial ownership collection workflows meet FinCEN's CDD Rule requirements. The platform captures and stores all required beneficial owner certifications with a full timestamped record for examiner review.

SEC 17a-4 / FINRA
Rules 4511 & 3110

Records stored in non-rewritable, non-erasable format per SEC Rule 17a-4. Configurable retention schedules support 3—6 year requirements. Export functionality meets FINRA Rule 4511 audit obligations.

GDPR / CCPA
Data Privacy

Built-in consent capture, data minimization controls, and automated deletion workflows. Data subject access and deletion requests fulfilled directly from the admin console. DPA available for all clients.

GLBA
Safeguards Rule

Technical safeguards consistent with the GLBA Safeguards Rule: access controls, AES-256 encryption, comprehensive audit logging, and vendor risk documentation to support your institution's own GLBA compliance program.

Audit Trails

Every action logged. Nothing editable. Everything exportable.

When your regulator arrives, the audit trail tells the complete story — who did what, when, and from where. No manual reconstruction. No gaps.

Records are immutable once created. No administrator — including ours — can modify a logged event. Exports are available in structured formats for examiner review, eDiscovery, or internal audit on demand.

audit-log — Morrison, J. — Account Opening
23 events
Identity verification completed
branch.ops@firstregional.com — IP 10.4.x.x
09:14:03
Feb 18
Document signed via Voice Sign
Account Agreement v2.1 — hash a3f9c8d...
09:18:47
Feb 18
Compliance review approved
compliance@firstregional.com — Risk: Standard
11:02:19
Feb 18
Account activated — onboarding complete
Total time: 1h 48m — All records sealed
11:03:01
Feb 18
Showing 4 of 23 events Export full log ›

FAQ

Questions from procurement teams

CISOs, compliance officers, and vendor risk committees ask these before every evaluation — answered here so your review starts on solid ground.

01

Our most recent SOC 2 Type II report is available to qualified prospects and current clients under a mutual NDA. Contact us through the Get Started page noting that you're requesting the report — our security team responds within one business day with next steps.
02

All customer data is stored exclusively in US-based data centers. We do not transfer or replicate data outside the United States. Our infrastructure provider holds its own SOC 2 Type II certification, and we apply additional contractual data residency requirements through our Data Processing Agreement.
03

Upon termination you receive a full data export in a structured, machine-readable format within 30 days. After the export period, all client data is deleted on a schedule defined in your contract, with written confirmation of deletion provided. We do not retain your data after the deletion window closes.
04

We maintain a formal Incident Response Plan tested annually. In the event of a confirmed incident affecting client data, we notify affected clients within 72 hours — consistent with GDPR's breach notification timeline and US state requirements. We provide a full incident report, scope of impact, remediation steps, and recommended actions for your own compliance obligations.
05

Yes. We have a completed SIG questionnaire and CAIQ available on request. We also maintain a Vendor Risk profile pre-populated with information most commonly requested by financial institution procurement and vendor management teams. Contact us and we'll send the appropriate documentation package for your process.

Start Your Review

Ready to put us through your security review?

We'll send our SOC 2 report, pen test summary, security questionnaire responses, and full compliance documentation — everything your vendor risk team needs to move efficiently.

Request Documentation Package Explore Platform Features
SOC 2 Type II
AES-256
ESIGN & UETA
1-Day Response