Security Posture

Security Built for Regulated Markets

EthicVault is designed to satisfy the most demanding regulatory and infosec requirements in financial services — not as an afterthought, but as the foundation.

⊘

Zero Custody

The Friction Gate operates entirely within your deployment boundary. Audit logs, policy rules, and execution records are stored in your infrastructure — EthicVault never has custody of your data.

⬡

Immutable Governance

Every governance decision is cryptographically signed at the moment of execution. No post-hoc alteration is possible — providing regulators with mathematically verifiable proof of compliance.

⧫

Deterministic by Design

The Friction Gate uses rule-based logic — not probabilistic ML models — to make governance decisions. The same input always produces the same output, making it auditable and explainable.

Compliance & Certifications

Regulatory Coverage

SOC 2 Type II

AICPA

Annual third-party audit of security, availability, and confidentiality controls.

Full report available to enterprise customers under NDA upon request.

ISO 27001

ISO/IEC

Certified information security management system covering all production systems.

Certificate covers the Resonance Engine infrastructure and all data pipelines.

GDPR

EU Regulation

Full compliance with Article 32 technical and organizational security measures.

Data Processing Agreements available for EU-based enterprise customers.

DORA

EU 2022/2554

Digital Operational Resilience Act compliance for financial sector ICT risk.

Designed for MiFID II and DORA Article 11 ICT risk management requirements.

Technical Controls

Security Architecture

Data Protection

AES-256 encryption at rest across all storage layers
TLS 1.3 in transit, enforced — no downgrade permitted
Customer data never used for model training or analytics
Tenant-isolated key management (BYOK supported)
Field-level encryption for audit log entries

Access & Identity

Zero-trust network architecture — no implicit trust
SSO with SAML 2.0 and OIDC for all enterprise accounts
Hardware MFA enforcement for privileged access
Role-based access control with least-privilege enforcement
Automated access reviews on a 90-day cycle

Resilience & Availability

99.99% uptime SLA with financial penalty clauses
Multi-region active-active deployment
Automated failover under 30 seconds
Annual penetration testing by Big 4 and specialist firms
Disaster recovery RTO < 4 hours, RPO < 1 hour

Audit & Transparency

Immutable cryptographic audit log — tamper-evident by design
Full SOC 2 reports available on request (NDA required)
Sub-processor list publicly maintained and updated quarterly
Examiner-ready regulatory export generated within 24 hours
Real-time SIEM integration via webhook or syslog

No data leaves your environment without your explicit authorization.

The Friction Gate operates entirely within your deployment boundary. Audit logs, policy rules, and execution records are stored in your infrastructure — EthicVault never has custody of your data.

Zero custody

Responsible Disclosure

If you believe you have discovered a security vulnerability in EthicVault systems, please disclose it responsibly. We commit to acknowledging valid reports within 48 hours and resolving critical issues within 14 days.

Report a Vulnerability