AltFiScore
Draft·These policies are drafts pending legal counsel review and finalization. Last revised: May 15, 2026.

Security

Effective Date: May 15, 2026 · Last Revised: May 15, 2026 · Version 1.0 (Draft)

Our security commitment

AltFiScore AI Inc. operates credit decisioning infrastructure for licensed lenders. Our customers and the consumers they serve trust us with sensitive financial information. This page describes the administrative, technical, and physical safeguards we maintain to protect that information.

1. Security Program Overview

Our information security program is designed in alignment with leading industry frameworks, including the NIST Cybersecurity Framework, ISO/IEC 27001, and the AICPA SOC 2 Trust Services Criteria. The program is overseen by AltFiScore leadership and reviewed at least annually.

2. Encryption

2.1 In Transit

  • All API endpoints require TLS 1.2 or higher. TLS 1.0 and 1.1 are disabled at the load balancer.
  • HSTS is enforced with a one-year max-age on all public-facing domains.
  • Internal service-to-service traffic uses mutual TLS where appropriate.

2.2 At Rest

  • All persistent storage (databases, object storage, snapshots, backups) is encrypted with AES-256.
  • Personally identifiable information fields (SSN, DOB, address) are subject to additional application-layer encryption with keys managed via a dedicated key management service.
  • API key secrets are never stored — only SHA-256 hashes. The full key is shown once at creation and cannot be recovered.

3. Access Controls

  • Least privilege: production access is restricted to engineering staff with a documented need, reviewed quarterly.
  • Multi-factor authentication: required for all administrative access to production systems, including code repositories, cloud consoles, and the lender portal admin surface.
  • Tenant isolation: customer data is logically isolated at the database row level via tenant identifiers enforced in every query path. We have automated tests verifying no cross-tenant data exposure.
  • Audit logging: all administrative actions, API requests, and access events are logged with sufficient detail to support forensic investigation. Logs are protected against tampering and retained per our data retention schedule.

4. Network and Infrastructure Security

  • Segmentation: production, staging, and development environments are network-isolated with no shared credentials.
  • Defense in depth: edge protection (WAF, rate limiting, DDoS mitigation), perimeter firewalls, host-level firewalls, and application-layer authentication.
  • Vulnerability management: continuous scanning of infrastructure and application dependencies. Critical vulnerabilities are patched within defined SLAs based on severity.
  • Secrets management: no secrets in source code or container images. All secrets retrieved at runtime from a managed secrets store.

5. Application Security

  • Secure SDLC: peer code review required for all changes. Automated static analysis on every pull request.
  • Dependency hygiene: third-party libraries are inventoried and scanned daily for known vulnerabilities.
  • Input validation: strict typing and schema validation on all API inputs.
  • Output encoding: contextual output encoding to prevent injection attacks.
  • PII redaction in logs: PII fields are programmatically redacted before request bodies are persisted to API logs. Internal logs never expose raw SSN, DOB, or full account numbers.

6. Data Protection

  • Data classification: information is classified by sensitivity (public, internal, confidential, restricted) with handling requirements appropriate to each class.
  • Backup and recovery: production databases are backed up with point-in-time recovery. Backups are encrypted and tested regularly.
  • Retention and disposal: data is retained per our published retention schedule and securely deleted when no longer needed. See our Privacy Policy.

7. Incident Response

AltFiScore maintains a documented incident response plan that defines roles, escalation paths, communication protocols, and post-incident review procedures. The plan is tested at least annually.

7.1 Notification

  • We notify affected Customers without undue delay after becoming aware of a personal data breach that materially affects their data.
  • For EU/UK incidents, we provide Customers with the information needed for their own regulatory notifications (typically within 72 hours per GDPR Art. 33).
  • US state breach-notification laws are honored where applicable.

7.2 Reporting

Security researchers and Customers who believe they have identified a vulnerability or active incident should email legal@altfiscore.com with details. We commit to acknowledging reports within two business days and working in good faith with reporters following responsible-disclosure norms.

8. Vendor and Sub-Processor Management

  • All vendors with access to Customer data undergo security and privacy due diligence prior to engagement.
  • Sub-processors are bound by data-protection agreements that flow down our obligations to Customers and Consumers.
  • A current list of sub-processors is maintained and available to Customers under NDA.

9. Business Continuity

AltFiScore maintains a business continuity and disaster recovery plan designed to restore Services in the event of a major outage. Recovery time objectives (RTO) and recovery point objectives (RPO) are documented and reviewed at least annually.

10. Certifications and Audits

AltFiScore maintains the following:

  • SOC 2 Type II: annual independent audit covering security, availability, and confidentiality criteria.
  • GLBA Safeguards Rule: program covered for financial-services data processors (16 CFR Part 314).
  • HIPAA: Not applicable. AltFiScore does not handle protected health information.
  • PCI DSS: Not applicable. AltFiScore does not store, process, or transmit payment card numbers.

Audit reports are available to qualified Customers under a mutual non-disclosure agreement. Contact legal@altfiscore.com.

11. Personnel Security

  • All employees and contractors with access to production systems undergo background screening to the extent permitted by applicable law.
  • All personnel complete security awareness training upon onboarding and annually thereafter.
  • Access is revoked immediately upon termination of employment or contracting engagement.
  • All personnel are bound by written confidentiality obligations.

12. Customer Responsibilities

Security is a shared responsibility. As a Customer, you are responsible for:

  • Protecting your API keys and account credentials. Never embed live keys in client-side code or commit them to version control.
  • Maintaining MFA on your lender portal account and on any administrative tools that access AltFiScore.
  • Rotating production API keys at recommended intervals (every 90 days) and immediately upon any suspected compromise.
  • Reviewing your API Logs in the lender portal and investigating any unexpected activity.
  • Ensuring your own production environment is secured to a standard appropriate for the financial data you handle.

13. Contact

AltFiScore AI Inc.

Security & vulnerability disclosure: legal@altfiscore.com