SECURITY ARCHITECTURE
Controls for mortgage NPI
The product is designed to minimize structured PII, encrypt source evidence, isolate tenants, and preserve an explainable access and decision record.
Encryption and minimization
- AES-256-GCM with random 96-bit nonces for sensitive fields and files.
- Context-bound authenticated data prevents ciphertext from being moved between field/file contexts.
- Production startup fails without a 32-byte
DATA_ENCRYPTION_KEY. - Structured extraction retains SSN/TIN last-four only; full identifiers remain inside encrypted source evidence.
- SHA-256 integrity hashes identify source documents and report snapshots.
Identity and tenant isolation
- Memory-hard scrypt password hashing with per-user salts.
- Session and API tokens are random and stored only as SHA-256 hashes.
- Secure, HTTP-only, SameSite=Lax cookies and session revocation.
- Roles: owner, admin, reviewer, member.
- Every stateful query includes organization ownership; downloads never accept storage paths from the client.
Application defenses
- Database-backed login throttling and signup quotas.
- Magic-byte verification, bounded body/file sizes, XML DTD/entity rejection, and strict extraction allowlists.
- LLM prompt-injection boundary: documents are evidence and never instructions.
- Security headers, deny framing, MIME sniffing protection, restrictive permissions policy, and production HSTS.
- Signed, replay-deduplicated Stripe webhooks.
Operations launch gates
The deployment checklist requires TLS, loopback-only origin binding behind nginx, non-root containers, dropped Linux capabilities, no-new-privileges, encrypted off-box backups, restore testing, external health monitoring, alert routing, secret rotation, and log-retention policy.
Trust roadmap
Before enterprise or regulated production use: complete independent penetration testing, SOC 2 Type I then Type II, vendor/subprocessor register, incident-response exercise, BCP/DR exercise, DPA and GLBA-aligned security exhibits, cyber insurance, and customer-specific retention/deletion configuration.
Report security issues privately to security@vcorp.co. Do not include borrower data in the initial message.
Last updated July 14, 2026. This page describes product architecture and launch requirements; certifications are not claimed unless explicitly stated.