House notice

Security & trust

Effective May 15, 2026. For questions, contact legal@clearfin.dev.

Clearfin LLC(the “house”) operates a clearing service that handles sensitive operator and cardholder information. This page sets out how we approach security, the controls we keep in place, and how we coordinate with our processing partners and regulators. It is intended to give operators on the books, prospective operators, and their auditors a structured picture of the program.

§ 1. Card data and PCI DSS

Card data is presented within a PCI DSS Level 1 certified environment operated by our processing partners. Primary account numbers (PANs) are not stored on the house's infrastructure and are not visible to the application code. Our integration is arranged so that PAN data flows directly between the cardholder instrument (browser, application, or terminal) and the processor through validated tokenisation libraries. Where we hold a pointer to a payment method, that pointer is a processor-issued token.

§ 2. Encryption

  • In transit.All public traffic is served over TLS 1.2 or higher with modern cipher suites. Service-to-service traffic is encrypted within our cloud provider's isolated network and uses mutual TLS where supported.
  • At rest. Application databases, object storage, and backups are encrypted with AES-256 using provider-managed keys. Sensitive fields, including the government identifiers collected during know-your-customer review, are encrypted at the application layer in addition to the storage layer.
  • Secrets. Credentials and API keys are stored in a managed secrets service with audited access and per-environment scoping. Tokens follow a least-privilege model and are rotated on a schedule.

§ 3. Identity, access, and key management

  • Single sign-on with required multi-factor authentication for every member of staff who touches a production system.
  • Role-based access control with quarterly access reviews. Production access is granted on a least-privilege basis and is auditable end-to-end.
  • Hardware-backed authenticators are required for privileged operations. Personal long-lived credentials are not permitted.

§ 4. Monitoring and detection

  • Centralised application, infrastructure, and audit logs with retention aligned to regulatory and card-network requirements.
  • Real-time transaction monitoring with vertical-aware baselines and a structured case-management workflow for suspicious-activity escalation.
  • Continuous OFAC, UN, EU, and HMT sanctions screening on principals and entities, with adverse-media monitoring and a re-screening cadence.
  • Anomaly detection on authentication, application programming interface usage, and administrative actions, with paging integration to the on-call rotation.

§ 5. Vulnerability management

  • Automated dependency scanning across application and infrastructure code with patch service-level agreements by severity.
  • Static analysis on every pull request, with required code review and continuous-integration gating before merge to protected branches.
  • Periodic third-party penetration testing of the platform and its public surfaces. Findings are tracked through to remediation in our risk register.
  • Coordinated disclosure: security researchers may report vulnerabilities to info@clearfin.dev. We acknowledge reports within two business days and work cooperatively with reporters under a good-faith policy.

§ 6. Resilience and incident response

  • Architected for high availability across multiple availability zones, with defined recovery-time and recovery-point objectives by tier.
  • Documented incident-response runbooks, on-call rotations, and a post-incident review process, with the published findings shared with affected operators on the books.
  • Backup and restore procedures tested on a recurring schedule. Settlement and ledger reconciliation are validated continuously.

§ 7. The compliance program

  • SOC 2. The control plane is governed by a SOC 2 program currently underway. Reports will be available under non-disclosure on completion.
  • PCI DSS. Scope is reduced through a PCI DSS Level 1 certified processing environment operated by our processing partners; we maintain SAQ-A-equivalent obligations and are aligned to the PCI DSS v4.0 requirements applicable to our role.
  • NIST CSF 2.0. The internal control framework is structured against the NIST Cybersecurity Framework, with mappings maintained for cross-reference to other standards.
  • Anti-money-laundering. Customer due-diligence aligned with FinCEN guidance and the operating rules of our acquiring partners.

§ 8. Data residency and processors

Personal information is processed in the United States. Where processors are involved — including identity-verification, sanctions-screening, transaction-monitoring, and cloud-infrastructure providers — we keep written agreements that include confidentiality, security, and breach-notification obligations consistent with applicable law.

§ 9. How to report a concern

Suspected security issue: info@clearfin.dev.
Compliance concern: info@clearfin.dev.
General correspondence: info@clearfin.dev.