Overview
How Sqoot protects your gold and your data
ποΈ
AWS Infrastructure
Built entirely on Amazon Web Services β the fintech industry standard with 600+ compliance certifications, VPC isolation, and AES-256 encryption.
π
Compliance
Full AML/KYC program for all accounts. GDPR and CCPA ready. All platform vendors are SOC 2 Type 2 certified. Security program built around recognized compliance frameworks.
π‘οΈ
Data Protection
AES-256 at rest, TLS 1.2+ in transit. Access to customer data is limited to authorized personnel only with full audit logging.
π¦
Financial Security
Payments via regulated ACH bank transfer. Bank verification through compliant financial infrastructure. Raw banking credentials are never stored by Sqoot. No cryptocurrency or card payments accepted.
π₯
People & Process
Background checks for all employees, mandatory annual security training, endpoint encryption, MFA enforced across all internal systems.
β‘
Incident Response
24/7 engineering on-call coverage, documented incident response process, and rapid escalation protocols with customer communication standards.
Data Collected
β Customer personally identifiable information (PII)
β Financial account data β via Plaid (read-only, never stored raw)
β Payment initiation data β via Plaid ACH, never stored raw by Sqoot
β Transaction history and KYC/AML verification data
β Raw card numbers or banking credentials
β Personal health information
Security Controls
Detailed breakdown of our security practices
Infrastructure Security
AWS Hosting
Sqoot is hosted entirely on Amazon Web Services β industry standard for fintech with 600+ compliance certifications.
Virtual Private Cloud
All servers run within a dedicated VPC with network ACLs restricting access to authorized systems only.
Auto Scaling
Infrastructure auto-scales to maintain high availability during demand spikes without service disruption.
Backups & Monitoring
Automated daily backups. All activity is logged and monitored with real-time alerting for anomalous behavior.
DoS Protection
AWS Shield provides protection against DDoS attacks at network and application level.
Disaster Recovery
Infrastructure and data spread across multiple AWS availability zones with automated failover.
Least Privilege
AWS IAM roles scoped to minimum required permissions, reviewed and audited regularly.
Network Segmentation
Sensitive systems isolated from general access through strict network segmentation.
Real-Time Monitoring
Endpoint monitoring agents deployed across all production infrastructure with threat detection and alerting.
Organizational Security
Background Checks
All new employees undergo background checks prior to start date in accordance with applicable law.
Employee Confidentiality
All employee contracts include confidentiality and non-disclosure agreements covering customer data and proprietary information.
Endpoint Encryption
All corporate devices encrypted. Can be remotely wiped in the event of loss or theft.
Endpoint Protection
Corporate devices configured with EPP software with active threat detection and managed software updates.
Security Training
All employees complete mandatory annual security awareness training. Higher-risk roles receive additional specialized training.
Zero Trust & MFA
Zero trust model enforced β no user or system trusted by default. MFA required across all internal systems and tools.
Product Security
Encryption in Transit
All data encrypted using TLS 1.2 or higher. HTTPS enforced across all endpoints.
Encryption at Rest
All stored data encrypted using AES-256, the industry-standard encryption algorithm.
Multi-Tenancy
Strict data isolation ensures one customer's data can never be accessed within another customer's account.
Password Security
Strong password policies enforced. Credentials stored using PBKDF hashing β never in plain text.
Role-Based Access
Granular permission levels allow customers to configure team access controls within their Sqoot account.
Anti-Abuse
Sign-ups and account activity assessed for fraud signals. High-risk actions flagged or blocked automatically.
Penetration Testing
Third-party security experts perform annual penetration tests on Sqoot's infrastructure and application.
Data Portability
Customers can request a full export of their data at any time in compliance with GDPR.
Data Retention
Customer data deleted within 30 days of account deletion. Financial/KYC records retained as required by law.
Internal Security Procedures
Code Review
Every pull request undergoes mandatory peer review before merging to production. Security-sensitive changes require additional sign-off.
Incident Response
Documented incident response process covering detection, escalation, containment, and customer communication.
On-Call Coverage
Engineering on-call 24/7 with defined escalation paths to security and leadership.
Security Policies
Comprehensive internal security policies covering all aspects of data handling and access, reviewed annually.
Vendor Risk
All third-party vendors formally assessed before onboarding. Financial data processors required to hold SOC 2 and PCI compliance.
Data & Privacy
Encryption at Rest
All customer data encrypted at rest using AES-256.
Privacy Policy
Full privacy policy available at getsqoot.com/privacy.
Employee Access
Access to customer data limited to authorized employees. All access logged and audited.
Data Hosting
All data hosted on AWS in the United States (us-east-1). EU hosting available upon request.
Data Deletion
Non-required data deleted within 30 days of a verified deletion request. Financial/KYC records retained per regulatory requirements.
Compliance
Security Framework
Sqoot's security program is built around recognized frameworks including encryption, access controls, audit logging, and vendor due diligence. External security reviews conducted periodically.
Payment Security
Payments processed via regulated ACH bank transfer. No card numbers stored. Bank connectivity uses read-only verified infrastructure. Sqoot never stores raw banking credentials.
SOC 2 Platforms
Sqoot exclusively uses SOC 2 Type 2 certified platform vendors. All third-party processors are required to maintain current compliance certification.
GDPR
Compliant with EU General Data Protection Regulation. Data Processing Addendum (DPA) available upon request.
CCPA
Compliant with California Consumer Privacy Act. Requests may be submitted to compliance@sqoot.us.
KYC / AML
Identity verification and anti-money laundering compliance required for all users in accordance with applicable financial regulations.
Annual Auditing
External security audits conducted annually to verify ongoing compliance with certified frameworks.
Subprocessors
All third-party services that process customer data on Sqoot's behalf. All financial processors are required to maintain SOC 2 and PCI compliance.
Amazon Web Services, Inc.
Cloud infrastructure hosting, storage, and data processing Β· aws.amazon.com
πΊπΈ USA
Plaid Inc.
Bank account connectivity and ACH funding (read-only, credentials never stored by Sqoot) Β· plaid.com
πΊπΈ USA
Plaid Inc.
Bank account verification and ACH payment infrastructure Β· Read-only bank connectivity, credentials never stored Β· plaid.com
πΊπΈ USA
Intercom, Inc.
Customer support and messaging platform Β· SOC 2, ISO 27001, HIPAA certified Β· intercom.com
πΊπΈ USA / πͺπΊ EU
Slack Technologies, LLC
Internal team communications Β· SOC 2 certified Β· slack.com
πΊπΈ USA
Supabase, Inc.
Database, authentication, and edge function infrastructure Β· Customer PII and transaction data stored here Β· SOC 2 Type 2 certified Β· supabase.com
πΊπΈ USA (us-east-1)
Cloudflare, Inc.
CDN, DDoS protection, DNS, and static site hosting Β· SOC 2 Type 2, ISO 27001, PCI DSS certified Β· cloudflare.com
πΊπΈ USA / Global
Resources
Security and compliance documents available to current and prospective customers. Contact compliance@sqoot.us to request access.
Certifications
Security Program Overview
Summary of Sqoot's security controls, vendor policies, and compliance framework β available upon request
Subprocessor SOC 2 Reports
SOC 2 Type 2 reports for AWS, Supabase, Cloudflare, Plaid, Intercom β available upon request
Security Assessments
Penetration Test Report
Annual third-party pen test β available under NDA to qualified prospects
Frequently Asked Questions
Common security and compliance questions
Email compliance@sqoot.us with details. We take all reports seriously and respond within 48 hours. We request responsible disclosure and ask that findings not be published until we have investigated and remediated.
Sqoot data is hosted on Amazon Web Services (AWS) in the United States (us-east-1). EU-region hosting is available upon request for customers requiring EU data residency.
Sqoot exclusively uses SOC 2 Type 2 certified platform vendors (including AWS, Supabase, Cloudflare, Plaid, and Intercom) and requires SOC 2 compliance as a condition for all vendors handling customer data. Our internal security program is built around recognized compliance frameworks. Contact compliance@sqoot.us for documentation.
No. Sqoot does not accept or store payment card data β we use ACH bank transfer only. Bank connectivity uses read-only, verified infrastructure. Sqoot never stores raw banking credentials at any point in the transaction flow.
Sqoot maintains a full AML/KYC compliance program as required for precious metals dealers. Our security program is built around recognized frameworks including encryption, access controls, audit logging, and vendor due diligence. All platform vendors are SOC 2 Type 2 certified. GDPR and CCPA rights are supported. Contact compliance@sqoot.us for details.
Yes. Sqoot complies with the EU General Data Protection Regulation. A Data Processing Addendum (DPA) is available upon request at compliance@sqoot.us.
Sqoot's active subprocessors include: Amazon Web Services (hosting), Supabase (database and auth), Cloudflare (CDN and edge), Plaid (bank connectivity), Intercom (customer support), and Slack (internal communications). All subprocessors are required to maintain SOC 2 Type 2 certification. Full subprocessor list available at compliance@sqoot.us.
Contact compliance@sqoot.us with your deletion request. Non-required data is purged within 30 days. Financial, KYC, and AML records are retained for the legally required period under applicable financial regulations.
Fortress Gold Inc. DBA Sqoot acts as a data processor for customer data you provide to us β you remain the data controller. Sqoot is a data controller for account and billing information related to your direct relationship with us. A full DPA is available upon request.
Security Updates
Latest security and compliance announcements from Sqoot
Compliance
April 2026
Migrated from Chatbase to Intercom
Sqoot has completed its migration from Chatbase to Intercom for all customer-facing support. Intercom holds SOC 2, ISO 27001, ISO 27018, ISO 27701, HIPAA, and AIUC-1 certifications β significantly strengthening our compliance and security posture for customer data.
Security
2025
SOC 2 Vendor Policy Formalized
Sqoot has formalized its vendor security policy: all third-party platforms handling customer data are required to hold current SOC 2 Type 2 certification. This applies to all existing and future subprocessors β no exceptions.
Compliance
2025
Security Program Formalized
Fortress Gold Inc. DBA Sqoot formalized its internal security program, establishing controls around encryption, access management, incident response, vendor due diligence, and AML/KYC compliance for all customer accounts.
