Trust & security
Built for counterparties that care about compliance.
Everything below is in production today. Written for compliance, legal, and security teams — not marketers. Questions? security@oilflow.us.
Evidence ledger
Controls and attestations at a glance
The scannable version of the vendor questionnaire below. Every value here traces to a full answer on this page.
Controls in production
Sanctions lists: OFAC SDN, OFAC Consolidated, UN, EU, UK HMT, Canadian SEMA, AU DFAT, Swiss SECO + PEP.
Attestation status
We do not claim SOC 2 Type II until the audit report exists. Full framing in the questionnaire answers below and the NDA-gated evidence pack.
Tamper-evident
Don't trust us. Verify us.
When an MLRO signs a defense pack, we bind it with a SHA-256 hash over the canonical evidence: the pack, the narrative, the decision basis, the counterparty, and the attestation. You do not have to take our word that nothing changed after signing. You can recompute the hash yourself.
How the check works
- 1. Sign-off computes a SHA-256 over the canonical JSON of the signed fields and stores it on the row.
- 2. GET /api/v1/defense/[id]/verify recomputes that hash from the live row and reports match or divergence.
- 3. For zero-trust, your examiner recomputes the SHA-256 from the raw fields, following the algorithm published verbatim in the verify route source. No trust in OilFlow required.
Honest status
The verify endpoint and the published canonicalization algorithm are live today (DEFENSE API scope). The full Defense Ledger, with the MLRO individual-accountability sign-off workflow (FCA SMCR / MAS), ships Q1 2027. We say what is live and what is roadmap.
Cross-regulator render formats from one evidence bundle: FinCEN SAR, FCA SYSC 18, FATF Rec 10, MAS Notice 626.
Vendor security questionnaire
SIG Lite + CAIQ + ISO 27001 answers, published in advance
The fastest procurement gate is one your vendor has already answered. Sixteen of the most-asked questions across SIG Lite, CAIQ, and ISO 27001 — answered honestly here, downloadable as a PDF for your security team.
The full vendor security pack — including this Q&A, our DPA template, and our incident response policy — is available as a single PDF via security@oilflow.us. Reply within one business day.
SIG LiteWhere is customer data hosted and is it encrypted at rest?›
Customer data is hosted on Supabase (AWS us-east-1 + eu-west-1 for EU customers on request). Data at rest is encrypted via AES-256. Connections are TLS 1.2+ only. Service-role keys are stored in Vercel environment variables, never in source.
SIG LiteDo you have a documented information security policy?›
Yes. Our security operating model lives in /security and is updated when material practices change. All employees and contractors sign a confidentiality + acceptable-use agreement before access. We do not yet hold SOC 2 Type II — we will not claim it until the audit report exists.
SIG LiteWhat is your data breach notification process?›
Affected members are notified within 72 hours of confirmed detection, matching the EU GDPR standard globally. Materially-impacted incidents trigger a public postmortem. See the Incident Response section below.
SIG LiteHow do you handle data deletion / GDPR right-to-erasure?›
Customer-initiated deletion is processed within 30 days. Soft-deletes (via deleted_at timestamps) are the default to preserve audit-log integrity; hard-deletion of identifiable PII is performed on request via security@oilflow.us. Audit logs retain only the redacted hash of deleted entity names for compliance traceability.
SIG LiteDo you train AI models on customer data?›
No. Our AI subprocessor (Anthropic) is configured with a zero-retention DPA — customer data sent to the API is not stored, logged, or used for model training. This is contractually enforced.
CAIQIs multi-tenant data isolated via row-level security (RLS)?›
Yes. Every customer-facing table has Postgres RLS enabled with FORCE ROW LEVEL SECURITY. Service-role queries are restricted to server-side routes; the anon key only has scoped read access. Every /api/v1/* route runs through withApiGate which scopes by auth.memberId.
CAIQDo you support customer-managed encryption keys (CMEK)?›
Not currently. We use platform-managed keys via Supabase + Vercel. CMEK is on the roadmap for enterprise customers but is not available today. We're transparent about this rather than waving the question.
CAIQWhat is your backup and disaster-recovery RPO/RTO?›
Database point-in-time recovery: 7 days (Supabase platform default). RPO: 5 minutes. RTO: 4 hours for full restoration. We do not currently maintain a multi-region active-active topology; cross-region failover is a manual DBA action.
CAIQDo you perform penetration testing?›
Third-party penetration test scheduled for Q3 2026; engagement letter in progress with a CREST-accredited firm. Today we run self-conducted security review (static analysis + manual review, last pass 2026-05-31). Annual third-party cadence will commence with the Q3 engagement. Report available under NDA after completion at security@oilflow.us.
CAIQDo you have a Bug Bounty or responsible disclosure program?›
Yes. Researchers can submit findings to security@oilflow.us. We respond within 1 business day, fix valid criticals within 7 days, and publicly credit researchers on /security with their permission.
ISO 27001Are access controls based on least-privilege?›
Yes. Production access is restricted to the on-call operator (Rafae) via 2FA + SSH key. Application-level access is gated by Supabase RLS + the ADMIN_USER_IDS allowlist for operator routes. No shared accounts.
ISO 27001Do you log audit events for access to customer data?›
Yes. Every /api/v1/* call writes a row to api_request_log with route, scope, response status, member_id, IP, and user-agent. Every admin action writes to admin_audit_log. Customers can export their own audit trail via /api/v1/audit.
ISO 27001What is your vendor / subprocessor onboarding process?›
New subprocessors require a DPA on file, a documented data-handling justification, and 30-day advance notice to customers of material additions. Current subprocessor list is published on this page and updated when changes ship.
CustomWhere do you stand on SOC 2 Type II?›
Not yet. We're operating as a pre-SOC-2 startup and will not claim the certification until the audit completes. We have implemented controls that map to the SOC 2 Trust Services Criteria (security, availability, confidentiality) and can walk through the gaps with your auditors. Honest signal beats unsupported claim.
CustomDo you sign DPAs and BAAs?›
DPA: yes, template available at /dpa or via legal@oilflow.us. BAA: not currently — OilFlow does not process PHI and is not a HIPAA-covered entity. Counterparty health data should not be sent to our screening endpoints.
CustomHow do you handle a regulator subpoena for customer data?›
We notify the affected customer immediately unless legally prohibited (e.g. national-security order with a gag). We narrowly scope what we produce to what's compelled. Our government data-request policy is available from legal@oilflow.us.
Subprocessors
Who processes your data
Every third party below has a data processing agreement on file. Material changes trigger 30-day advance notice.
Full list with regions and change-notice subscription at /legal/sub-processors.
Incident response
Our 72-hour standard
We match the EU GDPR notification standard globally. Affected members are contacted within 72 hours of confirmed detection, and public postmortems are published for material incidents.
Legal posture
What we don't do
- — Custody funds, issue LCs of record, or act as a bank.
- — Arbitrate disputes (the SPA clause governs).
- — Certify inspections (SGS / Intertek do).
- — Underwrite insurance or act as an MSB.
- — Use your data to train AI models. Ever.
- — Give unreviewed legal advice — every draft ships with a counsel-review disclaimer.
Founder commitment
If we ever screen a counterparty without completing sanctions checks, the platform is broken.
— Rafae
Trust surfaces