Trust center

One page for the questions your security team is about to ask.

Audits, posture, status, and a working inbox for vulnerability reports. Nothing behind a sales call you don't already need.

Certifications

Where we are on the audit calendar.

Standard	Status	Notes
SOC 2 Type I	Available	Issued January 2026 by a Big-Four affiliated auditor. Available under NDA.
SOC 2 Type II	In progress	Observation window started February 2026. Report expected Q3 2026.
ISO 27001	Targeted Q4 2026	Stage 1 audit booked. ISMS scoped to production engineering.
PCI DSS	Not applicable	OpenSettle never handles cardholder data. Stablecoins only.
GDPR / UK GDPR	Compliant	DPA, SCCs, and UK Addendum available at /legal/dpa.
MiCA (EU)	Out of scope	Architectural posture documented at /legal/compliance.

Real-time

Live signals, not slide decks.

System status

Per-region uptime, current incidents, and a 90-day history.

Security posture

Live summary of our infrastructure controls, audits, and screening.

Security docs

Engineer-facing guide: signed webhooks, key rotation, IP allowlists.

Documents

Compliance documentation.

Compliance framework

Why our model sits outside money-transmission and CASP regimes.

Data Processing Addendum

GDPR Article 28 terms, SCCs, UK Addendum.

Subprocessors

Every third party that touches Service data.

What we collect, what we don't, and how to delete it.

Cookie Policy

No advertising cookies. Cookieless analytics.

Plain-language commercial terms.

Reporting

Found something? We want to know.

We operate a coordinated disclosure program. Reports are triaged within one business day. Critical findings on the smart-contract Router are eligible for our Immunefi-style bounty (up to $250,000).

security@opensettle.example

PGP key fingerprint published in security.txt.

security.txt

/.well-known/security.txt

RFC 9116 disclosure metadata. Contact, expiry, policy.

Policy

Disclosure policy & safe harbor

Good-faith research is protected. No legal action against researchers who follow our policy.