Security & governance

Your data. Your keys.
Never ours.

Financial data deserves a security posture that isn't a compliance checklist. Airtight sealed the architecture first and hung the certifications off the side. Here's what's actually in the box.

Sealed tight by design. Certified on paper.

Encryption

Four layers. One key per tenant.No shared secrets.

Every organisation gets its own key hierarchy. Your data is encrypted at rest with keys no other tenant can access — and we can't either, once you revoke.

Layer 1 · CMK
Customer Master Key

AWS KMS. Never leaves the HSM. Rotated automatically every 90 days.

Layer 2 · KEK
Key Encryption Key

Per-tenant. Wraps the DEK. Generated on tenant creation, never logged.

Layer 3 · DEK
Data Encryption Key

Per-tenant-per-environment. Encrypts row-level data at rest.

Layer 4 · FLD
Field Key

Per-field. TFN, bank details, PII get their own key per column.

Cryptographic shredding. When you delete a tenant, we destroy the per-tenant KEK. The encrypted data remains on disk, but without the key it is mathematically unrecoverable — not "soft-deleted", actually gone. We lose access at the same moment you do.

Architecture

Six pillars, all load-bearing.

Triple-entry cryptographic receipts

Every transaction is signed twice (debit side + credit side) and anchored to a daily Merkle root. Each receipt is offline-verifiable: send it in an email, the recipient can check it without an Airtight login.

Ed25519 · SHA-256 · Merkle

Per-tenant envelope encryption

Four-layer key hierarchy. Your org's keys are never shared with any other tenant. Cryptographic shredding on deletion — when we destroy the key, the data becomes mathematically unrecoverable.

CMK → KEK → DEK → field

Row-level security, everywhere

PostgreSQL RLS on every tenant table. Cross-tenant queries are physically refused by the database — not a code-path convention. Backstopped by integration tests.

FORCE RLS · 258 tables

Passkeys, not passwords

WebAuthn passkeys first. TOTP fallback for the passkey-averse. No SMS — SMS is not security. Session tokens rotate on every use; reuse triggers a full-session revoke.

WebAuthn · TOTP · no-SMS

Immutable audit trail

Every auth event, every API key creation, every permission change is signed and hash-chained. Tampering with yesterday breaks tomorrow. Export on demand for auditors.

Hash-chained · signed · exportable

Fine-grained API keys

Scope to module, read/write, and IP range. Rotate without downtime. Every key has a kill switch — revoke one, the rest keep working.

Scoped · rotatable · revocable
Standards & certifications

The paperwork. Current state.

Target
SOC 2 Type II

Active · target report Q4 2026.

Target
ISO 27001

Controls mapped · target Q1 2027.

Active
GDPR / Australian Privacy Act

Data residency AU or UAE. SCC + APP 8 signed.

Active
ZATCA Phase 2 · Saudi

Cleared e-invoice submission · certified integration.

Active
UAE FTA e-invoicing

Peppol channel ready · certified integration.

Active
AAOIFI Sharia standards

Contracts, zakat, halal receipts.

Engineering practice

Security is a line in every file, not a phase.

What we enforce on every pull request, before merge.

Static SAST on every PR · Semgrep + cargo-audit + pnpm audit
Dependency scanning on every PR · known CVEs block merge
Rate limiting on every endpoint · per-tenant + per-API-key
CORS locked to known origins · no wildcards
CSP on every response · no inline scripts, no eval
No .unwrap() in production Rust · panics = DoS
Invariant checks on money math · property-tested
100% test coverage on money + crypto paths

Want to interrogate the architecture?

Our security team will walk a CISO through key hierarchy, receipt verification, RLS proofs, and incident playbooks. Signed NDAs on request.

Book a security walk-through See features →