Last security review: March 2026

Platform Security

How OilFlow protects your data, your deals, and your compliance posture.

Standards & Certifications

SOC 2 Type II

Certified

Supabase infrastructure

PCI DSS Level 1

Certified

Stripe payment processing

GDPR

Compliant

Data handling & privacy controls

CCPA

Compliant

California privacy rights

Kenya DPA 2019

Compliant

East Africa operations

AML / KYC

Enforced

6-step verification pipeline

OFAC / UN / EU / UK

Active screening

All members & directors

Infrastructure

Single database, single location — SOC 2 certified infrastructure (Supabase on AWS)

PGP symmetric encryption on sensitive fields (email, payment IDs, beneficial owners)

TLS 1.2+ on every connection — HSTS enforced with 1-year policy

Stateless application layer — processes requests, stores nothing

Row-level security — database-enforced access isolation per member

Browser→ TLS →App (stateless)→ TLS →Database (encrypted)

Access Control

Row-level security policies on all database tables

Server-side session verification on every request

Deal room isolation — party membership verified before access

Append-only audit trail with operator ID, timestamp, and IP

Security headers: CSP, X-Frame-Options DENY, HSTS, strict-origin referrer

Verification Pipeline

Every member passes all 6 steps. No exceptions.

Sanctions Screening — OFAC SDN, UN, EU, UK lists. Any match = automatic rejection. Non-overridable.

Company Registration — Legal entity confirmed via international registries.

Asset Confirmation — Physical assets verified through independent sources.

Trade References — Two independent references contacted and verified.

Digital Footprint — Website, LinkedIn, and news presence evaluated.

Risk Assessment — Holistic analysis of all verification data combined.

Re-screened every 90 days. Any new flag triggers immediate suspension.

Data Handling & AI

All data anonymized before AI processing — names, emails, identifiers stripped

Zero retention by AI provider (Anthropic) — processed in memory, then discarded

Never used for model training — contractual guarantee via API terms

Every AI API call audit-logged — category, purpose, timestamp

We share (when required)

Company name with matched counterparties — after both verified

Names with sanctions screening — legal requirement

Billing info with Stripe — PCI DSS Level 1

Anonymized trade specs with AI — no identifiers

We never

Sell or license your data

Share data with competitors

Let AI train on your data

Trade against your deal information

Reveal company details before you confirm interest

Third-Party Processors

Service	Purpose	Compliance
Supabase	Database & auth	SOC 2 Type II
Stripe	Payments	PCI DSS Level 1
Anthropic	AI matching & analysis	Zero retention
Resend	Transactional email	DPA available
OpenSanctions	Sanctions screening	EU-based

Zero advertising cookies. Zero tracking pixels. Zero analytics scripts.

Incident Response

72-hour breach notification

Per GDPR Article 33. Affected members notified within 72 hours of confirmed breach.

Responsible disclosure

Report vulnerabilities to security@oilflow.us

Review cadence

Quarterly internal security review. Annual third-party assessment.

Your Controls

Export Your Data

Download everything we hold about you as a structured file.

Download →

Delete Your Account

Removed within 24 hours. Compliance records retained per law.

privacy@oilflow.us

Data Access Log

See every access — which system, what purpose, when.

View log →