SECURITY ARCHITECTURE

Controls for mortgage NPI

The product is designed to minimize structured PII, encrypt source evidence, isolate tenants, and preserve an explainable access and decision record.

Encryption and minimization

Identity and tenant isolation

Application defenses

Operations launch gates

The deployment checklist requires TLS, loopback-only origin binding behind nginx, non-root containers, dropped Linux capabilities, no-new-privileges, encrypted off-box backups, restore testing, external health monitoring, alert routing, secret rotation, and log-retention policy.

Trust roadmap

Before enterprise or regulated production use: complete independent penetration testing, SOC 2 Type I then Type II, vendor/subprocessor register, incident-response exercise, BCP/DR exercise, DPA and GLBA-aligned security exhibits, cyber insurance, and customer-specific retention/deletion configuration.

Report security issues privately to security@vcorp.co. Do not include borrower data in the initial message.