Skip to main content
SpendArc

Compliance & certifications

SpendArc is built to the highest security and compliance standards in fintech. We maintain the certifications your security team requires.

Certifications

[CUSTOMISE: primary framework]

Designed to support [CUSTOMISE: your compliance commitments, e.g. SOC 2 Type II]. [CUSTOMISE: describe your audit cadence and auditor once certified].

[CUSTOMISE: payments framework]

Designed to support [CUSTOMISE: your payments compliance posture, e.g. PCI DSS]. [CUSTOMISE: describe assessor and level once certified].

[CUSTOMISE: ISMS framework]

Designed to support certification against [CUSTOMISE: your target ISMS standard, e.g. ISO/IEC 27001:2022]. Continuous improvement cycle with annual surveillance audits once certified.

[CUSTOMISE: public-sector framework]

Designed to support [CUSTOMISE: your public-sector compliance posture, if applicable].

Regulatory frameworks

GDPR

Includes patterns for data minimisation, purpose limitation, right to erasure, data portability, and DPA agreements. EU data is processed in [CUSTOMISE: your EU region].

CCPA / CPRA

[CUSTOMISE: describe your California consumer privacy rights handling — access, deletion, opt-out of sale/sharing — and any annual CPRA assessment cadence].

Bank Secrecy Act / AML

[CUSTOMISE: describe your AML programme posture. SAR filing requires registered MSB status with FinCEN; only assert KYB / transaction monitoring / OFAC sanctions screening capabilities you genuinely operate.]

State money transmitter

[CUSTOMISE: your US money-transmitter licensure posture, e.g. list the states where you hold a money transmission licence, or describe your exemption basis if applicable.]

Data & security controls

Encryption at rest

AES-256 for all data. Cardholder data uses HSM-backed tokenisation.

Encryption in transit

TLS 1.3 for all connections. Certificate pinning on mobile apps.

Access control

Role-based access with least privilege. MFA required for all employees.

Audit logging

Immutable audit trail for all data access. 7-year retention.

Pen testing

Regular external penetration tests by independent researchers. Bug bounty programme.

Incident response

24/7 on-call. [CUSTOMISE: your acknowledgement and resolution SLAs for critical incidents].

Data residency

[CUSTOMISE: your primary cloud provider and regions]. EU option available for GDPR.

Business continuity

Multi-region failover. [CUSTOMISE: your RTO and RPO targets]. Annual DR tests.

Need our compliance documentation?

[CUSTOMISE: list your available compliance artefacts, e.g. audit reports, penetration test summaries, security questionnaire] are available under NDA.

DemoUI kit preview — content is fictional.