Security
We move real customer funds. Security is part of the product, not a compliance afterthought.
No private keys in source
Signing keys live in KMS. CI and application code reference identifiers, never material.
No private keys in browser env
Only VITE_* / NEXT_PUBLIC_* non-secret values are exposed client-side.
Every admin action is audited
Manual operations write an append-only audit log reviewed during weekly ops.
Idempotent money flows
Every write touching customer balances runs inside a transaction with an idempotency key.
Compliance roadmap
Vendor security review
Stripe, Postgres provider, observability vendor.
SOC2 Type I readiness
Controls mapped, evidence collection underway.
Penetration test
Required before public production launch.
Bug bounty
Planned after private beta hardening.