Security
Bank-grade security from day one
BankOps is built to bank-grade security standards — Postgres RLS, hash-chained audit logs, WebAuthn passkeys, AES-GCM encryption, and more.
Standards & certifications
Authentication
Two-Factor Authentication
TOTP authenticator apps and WebAuthn passkeys (Face ID, fingerprint, hardware keys) supported. Required for admin roles.
Passkey Support
FIDO2 WebAuthn passkeys — biometric or hardware key login. No passwords to phish, no OTPs to intercept.
Breach Protection
Passwords checked against HaveIBeenPwned k-anonymity API at signup and reset. Account locked after configurable failed login threshold.
Data Protection
Postgres Row-Level Security
Every query is gated by RLS policies — even raw SQL cannot read another institution's data. FORCE ROW LEVEL SECURITY on all 40+ tenant-scoped tables.
Encrypted at Rest & in Transit
AES-GCM for secrets stored in the database. TLS 1.3 on every connection. TOTP secrets and recovery codes encrypted before storage.
Tenant Isolation
Complete data isolation per institution. Separate encryption keys per tenant. No cross-tenant data leakage possible at the database level.
Audit & Compliance
Tamper-evident Audit Trail
Every action is SHA-256 hash-chained to the previous. The chain is verified daily by a scheduled job. Any modification is detected.
Sanctions Screening
Sanctions & PEP screening via OpenSanctions (OFAC / UN / EU). Weekly auto re-screening of all customers across all tenants.
Session Management
Active sessions tracked per device. One-click revocation for individual sessions or all devices. Automatic invalidation on password change.
SOC 2 Type II trajectory
BankOps is designed for SOC 2 readiness. The technical controls are in place — audit preparation begins Q3 2026.
Security whitepaper
Download our full security whitepaper covering our architecture, threat model, encryption schemes, audit chain design, and incident response process.
Request whitepaper