✓ COMPLIANT · SOC 2 TYPE II · GLBA SAFEGUARDS RULE · ISO 27001

Built on the same security stack we run for Fortune 500 banks.

Bravo handles tax returns, bank statements, and personal financial statements — the most sensitive data in consumer finance. Bot2Do's security posture is engineered for exactly this workload. Encryption, MFA, role-based access, audit logging, pen testing and privacy controls — not bolted on, built in.

SOC 2 Type II

AUDITED 2026

GLBA

SAFEGUARDS

ISO 27001

ALIGNED

CCPA

READY

NIST CSF

MAPPED

FinCEN

KYC / AML

/100

Security posture · Enterprise Grade A+

Independent audit score from Prescient Assurance (April 2026). Zero critical findings. 2 low-severity observations remediated within 14 days. Next audit: October 2026.

Core controls — GLBA Safeguards Rule (2023 update)

All in compliance

Encryption at rest & in transit

AES-256 for all customer data storage; TLS 1.3 for every API call and page view.

GLBA §314.4(c)(3)

ENFORCED

Multi-factor authentication

TOTP/Passkeys required for all Bravo staff + all borrower accounts accessing NPI.

GLBA §314.4(c)(5)

ENFORCED

Role-based access control (RBAC)

Least-privilege across 9 defined roles. Field-level masking on PFS, tax returns, SSNs.

GLBA §314.4(c)(1)

ENFORCED

Immutable audit logging

Every data access, mutation, export, or model prediction cryptographically logged & tamper-evident.

GLBA §314.4(c)(6)

ENFORCED

Annual penetration testing

External red-team engagement (Bishop Fox) · last test March 2026 · zero critical findings.

GLBA §314.4(d)(2)

CURRENT

Biannual vulnerability assessment

Automated scans daily · manual review semi-annually · remediation SLA: critical 24h / high 7d.

GLBA §314.4(d)(2)

UP-TO-DATE

Written information security program

Comprehensive WISP, board-approved, reviewed quarterly, aligned to NIST CSF 2.0.

GLBA §314.3

DOCUMENTED

Incident response program

24/7 SOC monitoring · 15-min Sev-1 paging · 72-hr regulatory notification protocol ready.

GLBA §314.4(h)

OPERATIONAL

Vendor / third-party oversight

All sub-processors SOC 2-attested (AWS, OpenAI, Anthropic, Plaid, DocuSign, Twilio…).

GLBA §314.4(f)

ALIGNED

Secure disposal of data

Cryptographic erasure on account closure. Right-to-delete honored within 30 days.

GLBA §314.4(c)(4)

ENFORCED

Encryption status · live

100%

Borrower tax returns (1120, K-1, 1040)

AT REST · 1,248 files · encrypted

AES-256-GCM ACTIVE

Bank statement PDFs

AT REST · 842 files · per-tenant key

AES-256-GCM ACTIVE

Personal financial statements

AT REST · 312 files · field-masked

AES-256-GCM ACTIVE

API traffic (all endpoints)

IN TRANSIT · 2.4M req / day

TLS 1.3 ACTIVE

Database (Postgres)

AT REST · KMS-managed keys

AES-256 ACTIVE

Secrets & credentials

AWS Secrets Manager · rotated 90d

KMS envelope ACTIVE

Backups (cross-region)

AT REST · S3 · object lock (WORM)

AES-256 ACTIVE

Role-based access · Bravo tenant

9 roles

Role	View PFS	View SSN	Override UW	Export	Admin
Raymond (Principal)	✓	✓	✓	✓	✓
Tom (Sr. Advisor)	✓	masked	✓	✓	—
Junior Advisor	masked	—	—	limited	—
Loan Processor	masked	—	—	—	—
Borrower	own only	own only	—	—	—
Bot2Do support	—	—	—	—	break-glass

Borrower data flow — where the protections kick in

Portal intake

TLS 1.3

Borrower uploads via HTTPS · client-side validation · no cookies leak

Ingress

WAF + DDoS

Cloudflare WAF · OWASP Top 10 rules · rate limiting · bot management

AI processing

VPC · no model training

Models run in private VPC · no customer data sent to public model training

Storage

AES-256 + KMS

Per-tenant keys in AWS KMS · field-level encryption on SSN, TIN, account #s

Retrieval

RBAC + audit

Every read checked against role · logged · PII auto-masked based on viewer role

Live security event stream

24/7 SOC