FinQub
Security & compliance

Architected for compliance from day one.

Hash-chained audit trails, regulatory framework tagging, jurisdiction-aware routing, and the full security posture a regulated fintech needs from its orchestration layer. We share everything during evaluation — not just marketing badges.

See the controls ↓

What is a tamper-evident audit trail?

A tamper-evident audit trail is a cryptographically linked sequence of events where each entry includes the SHA-256 hash of the previous entry. Modifying any historical record produces a different hash, breaking the chain for every subsequent record. In fintech, regulators increasingly expect this property for KYC, KYB, AML, and payment evidence. Traditional database logs cannot satisfy this requirement because access controls are procedural, not mathematical.

Why traditional database logs are not enough

A Postgres audit table with write-only permissions is not tamper-evident. A database administrator with root access can modify any row, and the audit trail cannot prove it. Access controls are procedural. Regulators increasingly require mathematical evidence that a record has not been altered since it was written. This is the distinction codified in FDA 21 CFR Part 11, SEC Rule 17a-4 (post-2022 amendments), EU AMLD6, and the EU AI Act's post-market monitoring obligations.

How FinQub's hash chain works

Every audit event in FinQub is individually hashed using SHA-256 and includes the hash of the preceding event. The chain looks like this:

event_0: { id, timestamp, workflow_id, action, payload, prev_hash: null, hash: H(event_0_body) }
event_1: { id, timestamp, workflow_id, action, payload, prev_hash: H(event_0), hash: H(event_1_body + H(event_0)) }
event_2: { id, timestamp, workflow_id, action, payload, prev_hash: H(event_1), hash: H(event_2_body + H(event_1)) }
...

If any historical event is modified, the recomputed hash will not match what was stored, and the chain breaks at that point. Every subsequent event also fails verification. An auditor runs a single verification pass over the chain to prove integrity.

Per-framework tagging for examiner-ready exports

FinQub tags every audit event with the regulatory frameworks it is evidence for. A single KYB decision can simultaneously satisfy evidence requirements for AMLD6, SOC 2 CC7, and a sponsor bank's BSA program. The export format is structured for the auditor:

  • Filter by framework (AMLD6, BSA/AML, SOC 2 Type II, PCI DSS, DORA, CFPB 1033, GDPR)
  • Filter by time window and optionally by workflow, vendor, or decision outcome
  • Export as signed JSON or signed PDF, both carrying the chain-verification metadata
  • Chain-verification CLI auditors can run offline against the exported file to confirm integrity

What you hand to a regulator during an exam

When an examiner arrives and asks for evidence on a specific decision, the workflow is: filter by the decision, export the signed bundle, hand it over. The bundle contains the full event chain, the policy configuration active at the time (hashed into the chain so swapping policies retroactively breaks signatures), every vendor response, every operator action, and the verification CLI. No manual reconstruction. No ShareFile folder. No screenshots.

How this differs from trading-focused audit products

Cryptographic audit systems exist today in algorithmic trading (VeritasChain Protocol, MiFID II RTS 25) and healthcare (FDA 21 CFR Part 11 implementations). FinQub applies the same cryptographic primitives to the fintech compliance stack: KYC, KYB, AML, payments, and vendor decisioning. The framework tagging, jurisdiction routing, and vendor-call capture are what make the chain usable by a fintech compliance officer rather than a quant or a GMP auditor.

Certifications & attestations

We're transparent about our current state. No theater, no overstated badges.

SOC 2 Type I

In progress

Design of controls being evaluated by a third-party auditor. Certification timeline and current control environment documentation shared under NDA during evaluation.

SOC 2 Type II

Planned

Operating effectiveness of controls over a 6-month period. Begins after Type I completes; target timeline shared during evaluation.

PCI DSS (SAQ-A scope)

In progress

PCI scope is restricted to payment card tokenization flows. Scope attestation available during evaluation.

GDPR / UK GDPR DPA

Available

Data Processing Agreement including standard contractual clauses (SCCs) available on request for EU / UK customers.

DORA ICT third-party risk

Assessment package available

ICT third-party risk assessment artifacts available for EU-regulated clients subject to DORA (effective Jan 2025).

Controls built into the platform

Not bolted on afterward. Designed into the orchestration engine from the first commit.

Data residency by jurisdiction

EU data stays in EU regions, UK in UK, US in US. Jurisdiction routing is configurable per workflow and enforced in infrastructure — not a policy promise.

Encryption in transit & at rest

TLS 1.2+ on every request. AES-256 at rest via AWS KMS. Customer-managed keys (BYOK) available on the Enterprise tier for regulated clients.

Role-based access control (6 roles)

Granular permissions across admin, developer, compliance, analyst, auditor, and viewer roles. Every access event logged to the audit trail.

PCI-scoped token vault

Payment card data flows through a PCI-scoped vault isolated from the main platform. Tokens are returned to workflows; raw PAN never leaves the vault.

Hash-chained audit trails

Every vendor call, every decision, every data transformation is logged to an append-only, hash-chained record. Tamper-evident. Exportable by regulatory framework, jurisdiction, workflow, or time range.

Incident response & breach notification

Documented incident response runbook. Breach notification SLA of 72 hours (GDPR-aligned). Security contact: security@finqub.io.

Regulatory frameworks supported

FinQub tags every audit record with the applicable regulatory context so evidence is queryable by framework at exam time.

Data protection

GDPRUK GDPRCCPA / CPRALGPD (Brazil)PDPA (Singapore)

Financial crime

BSA / AML (FinCEN)OFAC sanctions screeningEU AMLD5 / AMLD6FINTRAC (Canada)

Payment services

PCI DSSPSD2 / PSD3 (EU)State money transmitter regs (US)

Operational resilience

DORA (EU, effective Jan 2025)SOC 2ISO 27001 (planned)

Sector-specific

OCC / FDIC (US banks)FCA SYSC (UK)BaFin (Germany)MAS (Singapore)

FinQub provides compliance evidence infrastructure — audit trail generation, regulatory metadata tagging, and framework-specific reporting. FinQub does not make compliance determinations. Compliance assessment remains the responsibility of the client, their auditors, and their regulators.

Vendor due diligence package

Everything your compliance team needs, in one packet.

Sent proactively during evaluation. We'd rather your compliance team get the full picture up front than chase documents for four weeks.

  • SOC 2 Type I audit status, scope, and target completion timeline
  • Information security questionnaire responses
  • Data Processing Agreement (DPA) with GDPR SCCs
  • Sub-processor list (our 32+ integrated vendors)
  • Penetration test results (most recent, under NDA)
  • DORA ICT third-party risk assessment artifacts
  • Architecture & controls overview for non-technical examiners
  • Right-to-audit clause proposal
  • Incident notification & breach response runbook
  • Compliance control mapping by regulatory framework
security@finqub.io

Security & compliance FAQ