Trust

Security Policy

Last updated: July 17, 2026

Protecting borrower and lender data is a core requirement of the Service. This policy describes the controls VeriLend requires. It is maintained by the VeriLend team and is not an independent certification.

1. Encryption

  • In transit. All connections to VeriLend use HTTPS with TLS 1.2 or higher. HSTS is enabled.
  • At rest. Databases and object storage that hold user data are encrypted at rest using AES-256 provided by our managed infrastructure vendors.

2. Secure Document Uploads

  • Documents are uploaded directly into a private, non-public object-storage bucket.
  • Access to a document is provided through short-lived, signed URLs that expire and are scoped to a single authenticated user.
  • Uploaded content is scanned by automated quality and content checks.

3. Access Control

  • Role-based access. Every account has a role (borrower, lender, or admin). The database enforces access at the row level: borrowers see only their own loans and documents; lenders see only loans assigned to them or unclaimed submitted loans; admins have platform-management access only where a task requires it.
  • Lender onboarding. The lender role is not self-service. It is granted only through a single-use invitation code issued by an admin.
  • Principle of least privilege. Server code uses the caller's own identity by default; elevated (service-role) access is reserved for narrowly scoped, audited operations.

4. Multi-Factor Authentication (MFA)

VeriLend supports time-based one-time password (TOTP) authenticator apps for all accounts. Once a user enrolls a TOTP factor, sign-in requires both the password and a current code. MFA is strongly recommended for every account and is required for admin actions.

5. Monitoring and Logging

Application, authentication, and database events are logged by our infrastructure providers. Logs are used for troubleshooting, abuse detection, and incident investigation.

6. Vulnerability Management

VeriLend runs automated dependency scanning and periodic security reviews of database policies. Report a suspected vulnerability to security@verilend.app. We will acknowledge reports within 3 business days.

7. Breach Response

If a confirmed security incident affects user data, VeriLend will:

  1. Contain the incident and preserve evidence for investigation.
  2. Assess scope, root cause, and affected users.
  3. Notify affected users and, where required, regulators within the timelines set by applicable law (e.g., 72 hours under GDPR Article 33; state-specific deadlines in the U.S.).
  4. Publish a post-incident summary and remediation plan.

8. Periodic Audits

VeriLend reviews its security posture at least quarterly. Reviews include database policy checks, dependency and secret scans, and access-role reviews. Findings are tracked to remediation. VeriLend does not currently claim SOC 2, ISO 27001, or other third-party certifications; if that changes, this page will be updated.

9. Your Responsibilities

  • Use a strong, unique password.
  • Enroll multi-factor authentication on the Security page.
  • Never share your account credentials or MFA codes.
  • Report suspected account compromise immediately to security@verilend.app.

Questions? Contact privacy@verilend.app for privacy or data requests, or support@verilend.app for product help. Replace these placeholder addresses with your monitored inboxes before launch.