Security & Trust
Trust is the product. So we engineer for it.
Commodity trade runs on confidence: in your counterparty, your paperwork, and the platform holding it all. Here is exactly how we protect your data and where our compliance data comes from.
Platform security
Defense in depth, by default.
Encryption in transit & at rest
All traffic is served over TLS 1.3. Data is encrypted at rest by our infrastructure provider with AES-256.
Authorization on every route
Postgres Row-Level Security scopes data to its owner. Every API route authenticates the session before doing anything.
Multi-factor authentication
Optional MFA on accounts, and a trust-score bonus for enabling it. Sensitive actions are gated behind a fresh session.
Bot & abuse protection
Cloudflare Turnstile guards auth flows. Sensitive endpoints are rate-limited (screening, password reset, uploads, data export).
Hardened HTTP headers
HSTS with preload, X-Frame-Options DENY, nosniff, a strict Referrer-Policy, a locked-down Permissions-Policy, and a reporting CSP.
Safe inputs & uploads
Zod validation on every API route, a strict file-type allow-list with size caps, and HTML escaping across all email templates.
Data & privacy
Your data, your rights.
GDPR by design
A documented privacy policy with legal bases, sub-processor disclosure, and a cookie-consent layer with granular controls.
Export your data
One-click GDPR data export of your account, rate-limited to protect against abuse.
Delete your account
Permanent account deletion with cascading removal of your records, gated behind explicit confirmation.
You own your records
Your documents, deals, and passports are yours. We never sell data, and access is least-privilege by default.
Compliance methodology
Where the screening data comes from.
Ensemble matching, not naive string search
Candidates are retrieved with Postgres trigram similarity (pg_trgm), then re-ranked by an ensemble that combines name similarity, phonetic matching, identifier corroboration, and demographic consistency, with built-in transliteration of Cyrillic, Arabic, and Chinese scripts. That catches aliases, transliterations, and word-order swaps that plain matching misses, and returns a FLAG, REVIEW, or PASS with a confidence score and risk tier.
Kept fresh on a schedule
The lists are synced from their official sources automatically: critical lists daily, most weekly, and the long-tail monthly, and business verification (KYB) extends AML and sanctions coverage to 1300+ global lists. No stale data, no manual exports.
Transparency
Sub-processors.
The third parties that help us run the platform. Each is bound by a data-processing agreement.
Supabase
Database, auth, storage (Postgres + RLS)
Vercel
Application hosting & edge network
Stripe
Payments & subscription billing
Resend
Transactional email
Groq
AI features (LLM inference)
Cloudflare
Turnstile bot protection
Mapbox
Provenance maps
Google Analytics
Consent-gated product analytics
Found a vulnerability?
Report it responsibly and we will work with you to fix it quickly.