Security & Compliance

Enterprise-grade security.
Your data stays yours.

Built from day one with financial-grade data protection. Multi-tenant isolation at the database level — not the application level.

🔒

Multi-Tenant Data Isolation

PostgreSQL Row-Level Security (RLS) enforced on 18+ tables. ISO A's proprietary lender data is cryptographically invisible to ISO B. This isn't application-level filtering that can be bypassed — it's database-level enforcement.

Every query is automatically scoped by organization ID at the Supabase layer. Even if application code had a bug, the database would still prevent cross-tenant data access.

🛡

Role-Based Access Control

Owner, Admin, and Rep — three granular permission levels control who sees what across your organization. Owners manage billing and team. Admins configure lenders and settings. Reps work deals.

Permission checks happen at both the API route level and the database level for defense-in-depth security.

📋

Complete Audit Trail

Every action on every deal is timestamped, attributed, and stored in an append-only log. Submissions, lender responses, document uploads, AI scoring events, notes, and calls — all traceable.

The audit log cannot be edited or deleted by any user, including organization owners. Perfect for regulatory compliance and team accountability.

📄

GDPR/CCPA Compliance

Full data export on demand for compliance requests. Know exactly what data is stored, where it's processed, and how long it's retained. Data deletion requests honored within the required timeframes.

Export covers all merchant data, deal history, lender interactions, and AI-generated insights associated with your organization.

Infrastructure

Built on trusted foundations.

Supabase (PostgreSQL)

SOC 2 Type II certified database hosting with automatic backups and point-in-time recovery.

Vercel Edge Network

Global CDN deployment with automatic SSL, DDoS protection, and 99.99% uptime SLA.

AES-256 Encryption

All data encrypted at rest. TLS 1.3 encryption in transit for every API call and file transfer.

Brute-Force Protection

Login rate limiting, account lockout after failed attempts, and suspicious activity monitoring.

Document Vault

Bank statements deserve bank-grade protection.

Merchant bank statements contain the most sensitive business data. YieldStream treats them accordingly — encrypted storage, scoped access, and automatic retention policies.

All uploaded documents encrypted with AES-256 at rest
Scoped to organization — no cross-tenant access possible
Secure token-gated upload links for merchant self-service
Automatic file type validation — PDF, IMG, DOCX only
Configurable retention policies for compliance requirements
Full access audit trail — every view and download logged

Questions about security?

We're happy to walk through our security architecture, provide documentation, or discuss enterprise requirements.

Contact Security TeamView Documentation