Security & Trust
Certifications & assessments
- SOC 2 Type I is in progress. Security is the mandatory criterion in scope, with Availability and Confidentiality; a Type II observation window opens at the Type I report. We will never describe an in-progress audit as “certified.”
- Independent penetration test is scheduled before general availability; the summary letter will be available under NDA.
- Vendor security questionnaires (SIG-Lite, CAIQ) — a completed CAIQ-Lite draft and a signed-ready stateless-architecture attestation for the Recon module are available on request.
Data handling — the short version
- The reference plane holds no customer data. The OFAC reference (lists, General Licenses, programs, FAQs) is public U.S. Treasury data, identical for every customer.
- Recon is stateless by default. Research queries and briefs are not persisted on our infrastructure unless an account opts in — enforced in code, gated by CI compliance tests, not just policy.
- AI runs under Zero Data Retention. Our LLM provider (Anthropic) is contracted under ZDR: API inputs are not retained and not used for training. The service refuses to boot in production if the ZDR attestation is unset.
- No customer text in logs, telemetry, or alerts. Telemetry and alert payloads are pinned, structural-only field sets; extending them is a compliance review, not a refactor.
Platform controls
- Tenant isolation — row-level security on every tenant table, per-user module entitlements that fail closed, and entity-scoped visibility in the reporting module.
- Audit trail — per-tenant, append-only, hash-chained audit logs with periodic chain verification; screening decisions pin the exact list version and publish date so any decision can be reproduced later.
- Authentication — password + magic-link with self-service TOTP MFA; organizations can enforce MFA for all members. OAuth SSO is available; SAML is available on enterprise plans.
- Application hardening — enforced Content Security Policy, HSTS, CSRF origin checks, durable cross-instance rate limiting, and idle-session timeouts.
- Encryption — TLS 1.2+ in transit everywhere; AES-256 encryption at rest via our managed database provider.
- Change management — pull-request-only changes with CI (typecheck, tests, lint) gating every merge, and a machine-verified migrations ledger for the reference plane.
- Backups & recovery — daily backups with point-in-time recovery on the managed database tier.
Bank-network accessibility
Content pages work with JavaScript disabled and third-party requests blocked — no CAPTCHA, no client certificates, no data-center IP blocks. Your IT team can allowlist us from one page: network access for IT.
Sub-processors
Every third party that processes data on our behalf, what it touches, and under what terms: the sub-processor register. We update that page before adding a new sub-processor.
Responsible disclosure
Found a vulnerability? Email security@bulwarkcompliance.ai and we’ll acknowledge within one business day. We ask for reasonable time to remediate before public disclosure and will credit reporters who want it.
Documents available on request
- Stateless-architecture attestation (Recon)
- CAIQ-Lite / SIG-Lite responses
- Data Processing Agreement (DPA)
- Penetration-test summary letter (under NDA, post-GA)