Last updated: April 2026
Platform Security
How OilFlow protects your data, your deals, and your compliance posture.
Standards & Certifications
SOC 2 Type II
In progress
Auditor engagement Q3 2026 · gap analysis underway · report Q1 2027
CSA CAIQ v4
Self-attested
Published responses available on request to procurement teams
PCI DSS Level 1
Via Stripe
OilFlow never stores or processes card data
GDPR
Compliant
DPA published at /dpa; SCCs available for EU transfers
CCPA
Compliant
California privacy rights
Kenya DPA 2019
Compliant
East Africa operations
AML / KYC
Enforced
7-step verification pipeline
OFAC / UN / EU / UK / CA / AU / CH
Active screening
8 source lists via 2 live integrations (OpenSanctions aggregator + OFAC SDN/Consolidated XML direct) + PEP flagging
Posture · self-attested with audit roadmap
- SOC 2 Type II: auditor selection complete; gap analysis underway with 6-month observation window opening Q3 2026; Type II report Q1 2027. Pilot customers may request the gap analysis report under NDA.
- Third-party penetration test: scoped, scheduled with a Council-of-Registered-Ethical-Security-Testers (CREST)-accredited firm for Q3 2026. Letter of engagement available on request.
- Cyber liability insurance: in procurement for $5M / $10M aggregate. Certificate of insurance will be furnished to enterprise customers at contract execution.
- Bug bounty: coordinated vulnerability disclosure at
[email protected]with 90-day disclosure window. Formal HackerOne program scoped for post-Series-A.
Procurement deeper dive: see sub-processors, DPA, and the CSA CAIQ v4 response (request via [email protected]).
Infrastructure
Single database, single location — hosted on Supabase (AWS), which holds independent SOC 2 Type II certification
PGP symmetric encryption on sensitive fields (email, payment IDs, beneficial owners)
TLS 1.2+ on every connection — HSTS enforced with 1-year policy
Stateless application layer — processes requests, stores nothing
Row-level security — database-enforced access isolation per member
Access Control
Row-level security policies on all database tables
Server-side session verification on every request
Deal room isolation — party membership verified before access
Append-only audit trail with operator ID and timestamp
Security headers: CSP, X-Frame-Options DENY, HSTS, strict-origin referrer
Verification Pipeline
Every member passes all 7 steps. No exceptions.
Re-screened every 90 days. Any new flag triggers immediate suspension.
Data Handling & AI
Zero retention by AI provider — processed in memory, then discarded
Never used for model training — contractual guarantee via API terms
We share (when required)
We never
Third-Party Processors
| Service | Purpose | Compliance |
|---|---|---|
| Supabase | Database & auth | SOC 2 Type II |
| Stripe | Payments | PCI DSS Level 1 |
| Anthropic | AI services | Zero retention; Claude for Startups (2026) |
| Resend | Transactional email | DPA available |
| OpenSanctions | Sanctions screening | EU-based |
Zero advertising cookies. Zero tracking pixels. Zero analytics scripts.
Incident Response
72-hour breach notification
Per GDPR Article 33. Affected members notified within 72 hours of confirmed breach.
Responsible disclosure
Report vulnerabilities to [email protected]
Review cadence
Internal security reviews conducted as needed.