Security & Data Handling
How we protect your financial data, enforce tenant isolation, handle failures, and meet compliance requirements. Written for engineers and operators.
Security Certifications & Compliance
Enterprise-grade security certifications and compliance standards
Currently GDPR/CCPA compliant with PCI-DSS ready infrastructure
Planned Q3 2026
EU data protection standards
Bank-level data protection
SLA-backed availability (Enterprise)
Money-back guarantee
Secure payment processing
SOC 2 Type II (Planned Q3 2026)
Our infrastructure and processes are designed in alignment with SOC 2 Trust Service Criteria. SOC 2 Type II certification is planned for Q3 2026. We maintain continuous monitoring of our security controls.
ISO 27001 Aligned (Planned)
We follow ISO 27001 standards for information security management, ensuring systemic risk management and robust security controls. ISO 27001 certification is planned for future implementation.
Data Protection & Privacy
Encryption at Rest & Transit
AES-256 encryption at rest (Supabase managed). TLS 1.3 in transit (enforced by Vercel edge). Key management via Supabase KMS with automatic rotation. No application-level encryption keys stored in code or environment variables.
Data Retention & Deletion
Data retained indefinitely unless account deleted. Account deletion: 30-day grace period (soft delete), then hard deletion from production and backups. Cryptographic erasure verification available for Enterprise (proof that data cannot be recovered).
Audit Logging
Immutable audit logs for all sensitive actions (data access, exports, deletions, configuration changes). Stored in separate table with RLS. Exportable via API (GET /api/v1/audit-logs). SIEM integration available for Enterprise (webhook or API polling).
Disaster Recovery
Daily automated backups (Supabase managed). Point-in-time recovery (PITR) available. RPO: 24 hours. RTO: 4 hours (target). Backup restoration tested quarterly. Multi-region replication available for Enterprise.
Infrastructure Security
Serverless architecture (Vercel + Supabase). No persistent servers to harden. Dependency scanning in CI/CD (npm audit, Dependabot). Automated security headers (CSP, HSTS, X-Frame-Options) via middleware.
Access Control
Authentication via Supabase Auth (email/password, OAuth). API keys for programmatic access (scoped to tenant). Row-Level Security (RLS) enforces tenant isolation at database level. SAML SSO and MFA available for Enterprise.
Data Handling & Privacy
Data Processing & Isolation
- • Tenant Isolation: Row-Level Security (RLS) policies enforce tenant boundaries at the database level. Every query is filtered by
tenant_id. Cross-tenant access is architecturally impossible. - • Data Purpose: Customer data is processed only for reconciliation services. No secondary use. No AI model training without explicit consent.
- • Data Residency: US by default. EU data residency available for Enterprise customers (separate Supabase project in EU region).
- • Encryption: AES-256 at rest (Supabase managed), TLS 1.3 in transit. Keys managed by Supabase KMS with automatic rotation.
- • Backup & Retention: Daily backups retained for 30 days. Point-in-time recovery available. Hard deletion after 30-day grace period.
Data Access, Export & Deletion
- • Data Export: Full account data export via
GET /api/v1/tenant/data-export. JSON or CSV format. GDPR/CCPA compliant. Includes all reconciliations, jobs, exceptions, and audit logs. - • Data Deletion: Account deletion triggers 30-day grace period (soft delete). After 30 days, hard deletion removes all data from production and backups. Cryptographic erasure verification available for Enterprise.
- • Audit Logging: All data access, exports, and deletions logged with timestamp, user ID, IP address, and action type. Immutable logs stored separately from application data.
- • Self-Service: Export and deletion available in console (
/dashboard/user). No manual intervention required.
Sub-processors
Settler engages third-party sub-processors to provide our services. All sub-processors undergo security and privacy diligence before engagement. We maintain Data Processing Agreements (DPAs) with all sub-processors that handle customer data.
Infrastructure
- • Amazon Web Services (AWS) - Cloud hosting
- • Vercel - Frontend hosting & edge functions
- • Supabase - Database & authentication
- • Upstash - Redis & Kafka (serverless)
Services
- • Stripe - Payment processing
- • Resend - Transactional emails
- • OpenAI - LLM processing (opt-in features)
Incident Response
Incident Response Process
- Detection: Automated monitoring (Sentry, Supabase alerts, Vercel logs) + manual reports. Initial assessment within 1 hour.
- Containment: Immediate isolation of affected systems. API rate limiting, IP blocking, or tenant-level suspension if needed.
- Investigation: Root cause analysis using audit logs, error traces, and system metrics. Impact assessment (affected tenants, data types, time window).
- Notification: Customer notification within 72 hours for incidents affecting customer data (GDPR requirement). Status page updates for all incidents.
- Remediation: Fix deployed, systems verified, monitoring enhanced. Post-incident review documented. Process improvements implemented.
Communication & Reporting
- • Security Reports: security@settler.dev. PGP key available on request.
- • Status Page: settler.dev/status. Real-time system status, incident updates, scheduled maintenance.
- • Enterprise Notifications: Direct email to account contacts for incidents affecting customer data. Incident reports with technical details available upon request.
- • Disclosure Policy: Responsible disclosure for security vulnerabilities. Public disclosure after remediation (typically 90 days).
- • Security.txt: /.well-known/security.txt for security researchers.
Responsible Disclosure
We take the security of our systems seriously and value the community's help in identifying vulnerabilities. If you believe you've found a security issue, please report it to us responsibly.