Security at SpendArc
We treat your financial data as a top priority. Our controls are designed to support [CUSTOMISE: your target frameworks]. Security is not a feature — it's our foundation.
Certifications & compliance
[CUSTOMISE: primary framework]
Designed to support [CUSTOMISE: your compliance commitments, e.g. SOC 2 Type II]. [CUSTOMISE: describe your audit cadence and auditor once certified].
[CUSTOMISE: payments framework]
Designed to support [CUSTOMISE: your payments compliance posture, e.g. PCI DSS]. [CUSTOMISE: describe assessor and level once certified].
[CUSTOMISE: ISMS framework]
Our information security management system (ISMS) is designed to support certification against [CUSTOMISE: your target standard, e.g. ISO/IEC 27001:2022].
[CUSTOMISE: public-sector framework]
Our infrastructure is designed to support [CUSTOMISE: your public-sector compliance posture, if applicable].
Technical controls
Encryption
AES-256 at rest. TLS 1.3 in transit. All cardholder data is tokenised using Vault-backed HSMs.
Zero-trust network
Every internal service call is mutually authenticated with mTLS. No service trusts another by default.
Infrastructure
Multi-region deployment on [CUSTOMISE: your primary cloud provider and regions]. [CUSTOMISE: your uptime SLA, RTO and RPO targets].
Pen testing
Regular penetration tests by independent third-party researchers. Reports available under NDA.
Responsible disclosure
Found a vulnerability? We appreciate responsible disclosure and offer a bug bounty programme for verified findings. Please contact security@[CUSTOMISE: yourdomain.com] with full details. We commit to [CUSTOMISE: your acknowledgement and critical-issue resolution SLAs].