Skip to content
Bulwark
PlatformReconGauntletAEGISPricingIntegrationsFree OFAC toolsSecurity
Sign inRequest access

Security & Trust

The security posture of the Bulwark Compliance platform, stated plainly. Questions or vendor-review requests: contact security.

Certifications & assessments

  • SOC 2 Type I is in progress. Security is the mandatory criterion in scope, with Availability and Confidentiality; a Type II observation window opens at the Type I report. We will never describe an in-progress audit as “certified.”
  • Independent penetration test is scheduled before general availability; the summary letter will be available under NDA.
  • Vendor security questionnaires (SIG-Lite, CAIQ) — a completed CAIQ-Lite draft and a signed-ready stateless-architecture attestation for the Recon module are available on request.

Data handling — the short version

  • The reference plane holds no customer data. The OFAC reference (lists, General Licenses, programs, FAQs) is public U.S. Treasury data, identical for every customer.
  • Recon is stateless by default. Research queries and briefs are not persisted on our infrastructure unless an account opts in — enforced in code, gated by CI compliance tests, not just policy.
  • AI runs under Zero Data Retention. Our LLM provider (Anthropic) is contracted under ZDR: API inputs are not retained and not used for training. The service refuses to boot in production if the ZDR attestation is unset.
  • No customer text in logs, telemetry, or alerts. Telemetry and alert payloads are pinned, structural-only field sets; extending them is a compliance review, not a refactor.

Platform controls

  • Tenant isolation — row-level security on every tenant table, per-user module entitlements that fail closed, and entity-scoped visibility in the reporting module.
  • Audit trail — per-tenant, append-only, hash-chained audit logs with periodic chain verification; screening decisions pin the exact list version and publish date so any decision can be reproduced later.
  • Authentication — password + magic-link with self-service TOTP MFA; organizations can enforce MFA for all members. OAuth SSO is available; SAML is available on enterprise plans.
  • Application hardening — enforced Content Security Policy, HSTS, CSRF origin checks, durable cross-instance rate limiting, and idle-session timeouts.
  • Encryption — TLS 1.2+ in transit everywhere; AES-256 encryption at rest via our managed database provider.
  • Change management — pull-request-only changes with CI (typecheck, tests, lint) gating every merge, and a machine-verified migrations ledger for the reference plane.
  • Backups & recovery — daily backups with point-in-time recovery on the managed database tier.

Bank-network accessibility

Content pages work with JavaScript disabled and third-party requests blocked — no CAPTCHA, no client certificates, no data-center IP blocks. Your IT team can allowlist us from one page: network access for IT.

Sub-processors

Every third party that processes data on our behalf, what it touches, and under what terms: the sub-processor register. We update that page before adding a new sub-processor.

Responsible disclosure

Found a vulnerability? Email security@bulwarkcompliance.ai and we’ll acknowledge within one business day. We ask for reasonable time to remediate before public disclosure and will credit reporters who want it.

Documents available on request

  • Stateless-architecture attestation (Recon)
  • CAIQ-Lite / SIG-Lite responses
  • Data Processing Agreement (DPA)
  • Penetration-test summary letter (under NDA, post-GA)

Request documents →

Bulwark

Compliance intelligence for OFAC sanctions. Definitive reference, live change feed, knowledge base.

Weekly OFAC change digest — free.

Platform

Bulwark · OFAC referenceRecon · research agentGauntlet · screeningAEGIS · reporting

Delivery

PricingIntegrationsFree OFAC referenceFree sanctions searchEmail & Slack notificationsHow it works

Company

ContactFAQPrivacyTerms

Trust

Security & trustSub-processorsPlatform statusNetwork access for ITPrivacy policyTerms of service
© 2026 Bulwark Compliance LLC