OFAC · UN · EU · UK sanctions screenedZero-retention AIGDPR · CCPA program
BRENT104.20-0.20|WTI99.49-0.44|DUBAI102.20|BR-WTI4.71|BR-DB2.00|USD/PKR280.10|USD/AED3.67|

Trust & security

Built for counterparties that care about compliance.

Everything below is in production today. Written for compliance, legal, and security teams — not marketers. Questions? security@oilflow.us.

Trust & security

Built for counterparties that care about compliance

Every control below is in production today. Full documentation and processor table at /trust.

Sanctions coverage

OFAC, UN, EU, UK. 2M+ entities across all four lists. Automatic re-screening every 90 days.

Data handling

SOC 2 Type II infrastructure via Supabase. GDPR/CCPA-aligned data handling. AES-256 at rest, TLS 1.3 in transit. Our own SOC 2 attestation begins after the first 10 deals on-platform.

Zero-retention AI

Zero-retention AI processing. Your deal data never trains a model. Ever.

Audit trail

Every decision, signature, and contract version is logged. Member data available on written request.

Breach notification

72-hour incident notification commitment to affected members, in line with GDPR Article 33.

Self-healing infra

Every customer-facing service is health-monitored with automated recovery and operator alerting.

Subprocessors

Who processes your data

Every third party below has a data processing agreement on file. Material changes trigger 30-day advance notice.

Supabase

Database, auth, storage

SOC 2 Type II · EU + US regions

Stripe

Invoicing, subscription billing

PCI DSS Level 1

Anthropic

AI services

Zero-retention DPA · no training on data

Resend

Transactional email

DPA · EU region

DocuSign

E-signature

SOC 1/2 · ISO 27001 · 27017 · 27018

OpenSanctions

Sanctions data

EU-based · DPA

Sentry

Error monitoring

SOC 2 · EU region available

Incident response

Our 72-hour standard

We match the EU GDPR notification standard globally. Affected members are contacted within 72 hours of confirmed detection, and public postmortems are published for material incidents.

  1. 01Detect — automated monitoring + system health checks every 5 minutes.
  2. 02Contain — isolate affected systems; pause automation where necessary.
  3. 03Notify — affected members within 72 hours (EU GDPR standard).
  4. 04Postmortem — publish root-cause writeup for material events.

Legal posture

What we don't do

  • — Custody funds, issue LCs of record, or act as a bank.
  • — Arbitrate disputes (the SPA clause governs).
  • — Certify inspections (SGS / Intertek do).
  • — Underwrite insurance or act as an MSB.
  • — Use your data to train AI models. Ever.
  • — Give unreviewed legal advice — every draft ships with a counsel-review disclaimer.

Compliance or security question?

We respond to legal and security inquiries within 1 business day.