Trust center
One page for the questions your security team is about to ask.
Audits, posture, status, and a working inbox for vulnerability reports. Nothing behind a sales call you don't already need.
Certifications
Where we are on the audit calendar.
| Standard | Status | Notes |
|---|---|---|
| Internal platform audit | Available | Latest report May 2026 — summaries public on GitHub; email security@opensettle.io for the full report, no NDA required. |
| SOC 2 Type I | Exploratory | Pursuit is gated by a post-launch commercial milestone. Engagement letter will be published when signed; no date committed until then. |
| SOC 2 Type II | Exploratory | Follows Type I by 12 months once the Type I observation period completes. |
| ISO 27001 | On the roadmap | Pursued after SOC 2 Type II. Scope will track production engineering. |
| PCI DSS | Not applicable | OpenSettle never handles cardholder data. Stablecoins only. |
| GDPR / UK GDPR posture | Documented | DPA, SCCs, and UK Addendum at /legal/dpa. Article 27 EU representative will be appointed before active EU/EEA outreach; until then we do not direct the Service at EU residents. |
| MiCA (EU) | Out of scope | Architectural posture documented at /legal/compliance. |
Documents
Compliance documentation.
Reporting
Found something? We want to know.
We operate a coordinated disclosure program. We acknowledge new reports within 72 hours and provide a triage decision within 7 days. We do not pay cash bounties today; we offer public acknowledgement, OpenSettle credits, and swag where shippable. A paid bounty programme will launch when funding allows, with retroactive payouts for material findings.
Policy
Disclosure policy & safe harborGood-faith research is protected. No legal action against researchers who follow our policy.