Trust & compliance

Security & Data Protection

We employ a financial-grade security architecture built on AWS to ensure that sensitive data is encrypted, access-controlled, and fully auditable.

Overview

Sensitive financial data is encrypted at the application layer before it is written to durable storage. We use AWS Key Management Service (KMS) for key material and envelope encryption; no plaintext financial data is ever stored at rest.

Access is restricted through least-privilege IAM roles and service boundaries. Administrative and cryptographic activity is logged and available for audit so that key usage and access patterns remain traceable.

Security Principles

These practices form the baseline for how we handle confidential data across our environment.

Encryption by Default

All sensitive data is encrypted using AES-256.

Envelope encryption is backed by AWS KMS.

No Stored Secrets

No long-lived credentials.

All access uses short-lived, federated identity.

Least Privilege Access

Only backend services can decrypt.

No human access to production financial data.

Full Auditability

All key usage logged via AWS CloudTrail.

Complete traceability of access events.

How we protect data

Data is encrypted as soon as it is accepted by our services.
At rest, only ciphertext is stored; keys are managed separately in KMS.
Decryption happens only in memory within authorized backend processes.
User-facing surfaces use masked or redacted values where full detail is not required.
Encryption keys never leave the AWS KMS boundary under our control.