Trust center · in production

Bank-grade security. European compliance.

We handle financial data from SMEs and banks. The architecture is designed to pass a vendor review, a DORA audit and a pen test, not a marketing checklist.

GDPR-compliant

in production

DORA-ready

in production

EU data

in production

SOC 2 Type II

Q1 2027

How we protect your data

Four pillars, all in production, all auditable.

AES-256 encryption in transit and at rest

All sensitive data, including copies of ID cards, invoices, IBANs and ERP credentials, is encrypted with AES-256-GCM before it touches disk. Keys managed by AWS KMS with automatic rotation every 90 days.

  • TLS 1.3 on every connection · HSTS preload
  • AES-256-GCM at-rest · rotating AWS KMS keys
  • Hardware security modules (HSM) for master keys
HTTPS/TLS 1.3
A+
AES-256-GCM at-rest
active
KMS rotation · every 90 days
auto
WAF + DDoS · Cloudflare
layer 3-7

Isolation at the database level

Each tenant (bank, SME) has its data physically separated via PostgreSQL Row Level Security. It is not possible, even via SQL injection, to access another tenant's data. All queries run through RPCs with SECURITY DEFINER.

  • Row Level Security (RLS) on every table · default deny
  • SECURITY DEFINER RPCs · tenant_id derived internally
  • Pen test yearly · next Q3 2026
Bank A · 4,231 SMEs
isolated
Bank B · 1,852 SMEs
isolated
Cross-tenant query
denied
Audit log entry · event recorded
SHA-256

WORM audit log with 7-year retention

Every access, every change, every scoring decision is written to an immutable (write-only) log with chained SHA-256 hashing. Entries cannot be deleted, modified or reordered, not even by Advanta. Compliant with Banco de Portugal requirements for accounting records.

  • SHA-256 chained hashing · any change detected instantly
  • S3 Object Lock · immutability at the storage level
  • Exportable to the BdP · auditable standard XML format
audit_log · last 4 entries
score.computed · NIF ***456
14:23:01
operation.approved · €24,800
14:23:18
contract.signed · QES verified
14:24:02
sepa.disbursed · IBAN PT50…
14:24:31
chain valid · hash 8f2e…b3c4

European data sovereignty

All data, personal, financial, KYC, lives on servers in the EU. Supabase in eu-central-1 (Frankfurt). No transfers outside the EU under normal conditions. Compatible with Schrems II and post-Privacy Shield regulation. Failover replica in eu-west-1 (Dublin) in Q4 2026.

  • Frankfurt (eu-central-1) · primary region
  • Encrypted backup · 35-day retention · Object Lock
  • Dublin failover · RPO <15 min · roadmap Q4 2026
Frankfurt (DE) primary Dublin (IE) Q4 2026

EU data sovereignty · Schrems II safe · never leaves the European Union

Vendor review? Pen test? DORA submission?

We have the documents ready. Request the compliance folder and get it in under 1 business day.