Trust

Security & Compliance

Effective May 15, 2026. For questions, contact info@clearfin.dev.

Clearfin LLC (“Clearfin”) operates a payments platform that processes sensitive merchant and consumer information. This page describes how we approach security, the controls we have in place, and how we coordinate with our processing partners and regulators. It is intended to give merchants, prospective customers, and their auditors a structured view of our program.

PCI DSS

Card data is processed within a PCI DSS Level 1 certified environment operated by our processing partners. Card primary account numbers (PANs) are not stored on our infrastructure and are not accessible to our application code. Our integration is structured so that PAN data flows directly between the cardholder's browser or terminal and the processor through validated tokenization libraries. Where we hold pointers to payment methods, those pointers are processor-issued tokens.

Encryption

  • In transit:All public traffic is served over TLS 1.2 or higher with modern cipher suites. Internal service-to-service traffic is encrypted within our infrastructure provider's isolated network and uses mutual TLS where supported.
  • At rest: Application databases, object storage, and backups are encrypted at rest using AES-256 with provider-managed keys. Sensitive fields, including government identifiers collected during KYC, are additionally encrypted at the application layer.
  • Secrets: Credentials and API keys are stored in a managed secrets service with audited access and per-environment scoping. Access tokens follow a least-privilege model and are rotated regularly.

Identity, access, and key management

  • Single sign-on with required multi-factor authentication for all internal staff accessing production systems.
  • Role-based access control with quarterly access reviews. Production access is granted on a least-privilege basis and is auditable end-to-end.
  • Hardware-backed authenticators are required for privileged operations. Personal long-lived credentials are not permitted.

Monitoring and detection

  • Centralized application, infrastructure, and audit logs with retention aligned to regulatory and card-network requirements.
  • Real-time AI-powered transaction monitoring with vertical-aware baselines and structured case management for suspicious-activity escalation.
  • Continuous OFAC, UN, EU, and HMT sanctions screening on principals and entities, with adverse-media monitoring and re-screening cadence.
  • Anomaly detection on authentication, API usage, and administrative actions, with paging integration into our on-call rotation.

Vulnerability management

  • Automated dependency scanning across application and infrastructure code with policies on patch SLA by severity.
  • Static analysis on every pull request, with required code review and CI gating before merge to protected branches.
  • Periodic third-party penetration testing of the platform and its public surfaces. Findings are tracked through remediation in our risk register.
  • Coordinated disclosure: security researchers may report vulnerabilities to info@clearfin.dev. We acknowledge reports within two business days and work cooperatively with reporters under a good-faith policy.

Resilience and incident response

  • Architected for high availability across multiple availability zones, with defined recovery-time and recovery-point objectives by tier.
  • Documented incident-response runbooks, on-call rotations, and post-incident review with published learnings to affected customers.
  • Backup and restore procedures tested on a recurring schedule. Settlement and ledger reconciliation are validated continuously.

Compliance program

  • SOC 2: Our control plane is governed by a SOC 2 program currently in progress. Reports will be available under NDA upon completion.
  • PCI DSS:The platform's scope is reduced through a PCI DSS Level 1 certified processing environment operated by our processing partners; we maintain SAQ-A-equivalent obligations and are aligned to PCI DSS v4.0 requirements applicable to our role.
  • NIST CSF 2.0: Our internal control framework is structured against the NIST Cybersecurity Framework, with mappings maintained for cross-reference to other standards.
  • AML / KYC / KYB: Customer due-diligence aligned with FinCEN guidance and the operating rules of our acquiring partners.

Data residency and processors

Personal information is processed in the United States. Where processors are involved — including identity-verification, sanctions-screening, transaction-monitoring, and cloud-infrastructure providers — we maintain written agreements that include confidentiality, security, and breach-notification obligations consistent with applicable law.

Reporting concerns

Suspected security issues: info@clearfin.dev.
Compliance concerns: info@clearfin.dev.
General support: info@clearfin.dev.