Trust & Security

Built for the standards your bank audits against.

Every check on this platform is grounded in the published standards your compliance, audit and IT-security teams already know — UCP 600, ISBP 821, URDG 758, FATF, Wolfsberg, OFAC, GDPR, DPDP. This page tells you exactly what is in place today and what is on the roadmap. We do not claim certifications we do not yet hold.

Standards & certifications

Compatible = our platform's controls let a customer meet the obligations of this standard with the configuration we ship; we do not claim formal certification. Roadmap = we plan to pursue this; no audit engagement is underway yet and no target date is committed. Certified = independently audited and current (none yet — we will name the auditor and certificate ID when we have one).

Industry standards (trade finance)
UCP 600
Compatible
ICC Uniform Customs and Practice for Documentary Credits — every LC check on the platform is grounded in UCP 600 articles.
ISBP 821
Compatible
ICC International Standard Banking Practice for the Examination of Documents under UCP 600.
URDG 758
Compatible
ICC Uniform Rules for Demand Guarantees — the Bank Guarantee Vetting Expert runs clause-by-clause checks against all 35 articles.
eUCP / eURC 2.0
Compatible
Electronic presentation supplements to UCP 600 / URC 522.
AML / financial crime
FATF 40 Recommendations
Compatible
Trade-based money laundering screening is wired against the Financial Action Task Force red-flag taxonomy.
Wolfsberg Trade Finance Principles
Compatible
Counterparty screening, beneficial ownership, dual-use goods and high-risk geography checks follow the Wolfsberg Group principles for correspondent banking.
OFAC / UN / EU / UK OFSI sanctions
Compatible
Live sanctions matching against 58 000+ entities from US OFAC SDN, UN Security Council, EU FSF and UK OFSI consolidated lists. Source URLs cited inline on every finding.
EU Dual-Use Regulation 2021/821
Compatible
HS-code-level dual-use control list matching for export-control risk.
Data security
TLS 1.3 + HSTS everywhere
Compatible
All traffic encrypted in transit via Cloudflare. HSTS enforced. SSL Labs A+ rating.
Encryption at rest
Compatible
AES-256 at the storage layer (MongoDB Atlas managed encryption).
Bearer-token authenticated APIs
Compatible
Every privileged endpoint requires a short-lived session token; admin actions additionally require ADMIN_TOKEN.
Tenant data isolation
Compatible
Every document set is owner-scoped at the query layer; cross-customer reads require explicit admin override (logged).
Append-only audit log
Compatible
Uploads, classifications, extraction edits, decisions and PDF downloads are recorded with actor + timestamp. Cryptographic hash-chaining is on the roadmap.
SOC 2 Type II
Roadmap
Independent third-party audit covering Security, Availability & Confidentiality. We will publish a target date once an auditor is engaged.
ISO/IEC 27001:2022
Roadmap
Information Security Management System certification.
CSA STAR Level 1
Roadmap
Cloud Security Alliance self-assessment, published on the CSA public registry.
Privacy & data protection
GDPR (EU 2016/679)
Compatible
EU lawful basis, data-subject rights, breach notification within 72h. A formal Data Protection Officer engagement and DSR workflow are on the roadmap.
DPDP Act 2023 (India)
Compatible
Indian Digital Personal Data Protection Act — consent management, purpose limitation, grievance officer.
Singapore PDPA
Compatible
Personal Data Protection Act — purpose, consent, access & correction obligations.
CCPA / CPRA
Compatible
California Consumer Privacy Act — rights to know, delete and opt-out.
ISO/IEC 27701
Roadmap
Privacy Information Management System — extension of ISO 27001.

What we do every day

Defence in depth
Cloudflare WAF + bot management at the edge; per-route authentication; tenant isolation on every query.
Secrets hygiene
All credentials in environment variables, never committed to source control; admin token can be regenerated on demand.
Tenant data isolation
Every document set is owner-scoped at the query layer; no cross-customer reads possible without explicit admin override (logged).
LLM data handling
Commercial LLM APIs we use through the Emergent universal key (Google Gemini 3 Flash, Anthropic Claude) explicitly exclude prompts and responses from model training under their standard API terms. An OCR fallback may route through OpenRouter free-tier models on certain scanned pages — we are migrating that path off free-tier models. Customers requiring single-provider commercial-only routing can request it.
Append-only audit log
Every state change is recorded with actor + timestamp and visible to the customer. Cryptographic hash-chaining is on the roadmap.
Backups
Continuous MongoDB Atlas backups with 7-day point-in-time recovery.

Sub-processors

Third parties that process customer data on our behalf today. We will notify customers in writing before adding a new sub-processor that materially changes data handling.

VendorPurposeRegion
Cloudflare Inc.Edge network, WAF, DDoS, TLS terminationGlobal (anycast)
MongoDB Inc. (Atlas)Primary database + at-rest encryptionSelectable: US / EU / India
OpenAI / Anthropic / Google (via Emergent universal key)LLM-assisted extraction, classification, draftingUS (no training on customer data)
ResendTransactional email delivery (sign-up, password reset, notices)US
StripeCard payment processing for token purchasesGlobal
RazorpayINR payment processing (planned)India

Report a security issue

If you've found a vulnerability, please email security@webtraditor.com. We respond within one business day, fix high-severity issues within 7 days, and credit researchers on this page (with permission).

Machine-readable disclosure policy: /.well-known/security.txt

Talk to us

Have a vendor security questionnaire or a custom Data Processing Agreement? Email hello@webtraditor.com — we typically respond within three business days. For data-subject requests or GDPR/DPDP queries, write to privacy@webtraditor.com.

Back to home

Made with Emergent