Security & Compliance

Security is not a feature. It is the foundation.

Every layer of Techvica's infrastructure is designed around the assumption that financial data demands the highest standard of protection. Not just at audit time - continuously.

SOC 2 readinessPCI DSS supportFIPS 140-2GDPRISO 27001-aligned
Assurance programs

What we secure on the platform-and what your organisation attests to.

SOC 2 Type II readiness

RoleWe advise; your org attests
FocusTrust Service Criteria mapping & evidence
CadenceAligned to your audit cycle

Techvica does not issue a SOC 2 Type II report. Instead, our team helps yours map controls, collect evidence, and respond to auditor questions so you can pursue attestation with your CPA firm.

  • Shared responsibility matrices for infrastructure vs. your applications
  • Pre-filled control narratives you can adapt for your environment
  • Office hours with our security team during audit windows
  • No substitute for your own signed SOC 2 report
Discuss SOC 2 readiness

PCI DSS program support

RoleScope & documentation-we are not the QSA
FocusSegmentation, flows, RFI responses
CadencePer your assessment schedule

Card data often lives in your compliance boundary even when you process through a platform. We help you document how Techvica fits your PCI scope and coordinate with your Qualified Security Assessor. Your Attestation of Compliance remains yours.

  • Architecture diagrams for cardholder data flows involving our APIs
  • Written answers for common acquirer and QSA questionnaires
  • Guidance on tokenisation and segmentation patterns
  • We do not hold a PCI DSS Level 1 AOC on your behalf
Talk about PCI scope

End-to-end Encryption

StandardFIPS 140-2 / NIST SP 800
ScopeData at rest and in transit
OperationsContinuous

FIPS 140-2 validated cryptographic modules protect data at rest and in transit. Keys are managed with hardware-backed HSMs where contracted. Access to production data follows least-privilege and break-glass procedures.

  • FIPS 140-2 validated encryption for data at rest
  • FIPS-approved algorithms for all data in transit
  • Hardware Security Module (HSM) key storage available
  • Key rotation and access reviews on a defined schedule
  • NIST SP 800-series aligned key management practices
  • Detailed encryption appendix available under NDA
Request encryption appendix

Data Residency

RegionsAWS, GCP, Azure
ScopeCustomer data and backups
ContractPer deployment

Choose where your data lives. We support EU (Frankfurt, Ireland), UK (London), US (Virginia, Oregon), and Australia / New Zealand-aligned regional deployment options. Data does not leave your selected region unless you explicitly authorise it.

  • EU, UK, US, Australia, and New Zealand region options
  • Contractually enforced data boundary
  • Backups remain in-region by default
  • Cross-region replication only with written consent
  • Transfer mechanisms for GDPR Article 44+ where applicable
Talk to solutions engineering
Security controls

Defense in depth.

Built for supervised workloads

We work with banks, lenders, and fintechs that answer to serious regulators. Our documentation is written so your compliance and legal teams can place us inside their third-party risk programs-not so we can claim their licences for you.

ISO-aligned security practices

Policies, access reviews, and change control are modelled on ISO 27001-style expectations. You map them into your own ISMS; we do not present a Techvica ISO certificate as a substitute for yours.

Role-based Access Control

Granular, attribute-based permissions. Every user action is scoped to the minimum required access. SSO via SAML 2.0 and OIDC. MFA enforced across all roles with access to production systems.

Immutable Audit Log

Every action on the platform - API call, dashboard click, configuration change - is appended to a tamper-evident log. Queryable via API. Exportable for your own SIEM. Retained for 7 years.

Annual Penetration Testing

External penetration tests conducted annually by CREST-accredited firms. Results and remediation timelines are shared with enterprise customers. Bug bounty programme via HackerOne for continuous coverage.

GDPR & Privacy

Privacy by design. Not by policy.

We collect the minimum data required to operate the service. Every data subject right is implementable via API - so your compliance team can fulfil requests in minutes, not days.

Request our DPA

GDPR commitments

  • 01Data Processing Agreements (DPAs) available for all customers
  • 02GDPR Article 28 compliant sub-processor list published and maintained
  • 03Right of access, erasure, and portability supported via API
  • 0472-hour breach notification SLA
  • 05Data Protection Officer (DPO) on staff
  • 06Privacy by design - minimum data collection, maximum control
Shared responsibility

What we secure. What you control.

Techvica is responsible for

  • Physical and network infrastructure
  • Platform software and API layer
  • Encryption key management
  • Documentation for your SOC 2 and PCI programs
  • Incident response and breach notification
  • Vulnerability management and patching

You is responsible for

  • User access and permission management
  • API key rotation and secret hygiene
  • Client-side application security
  • Data you collect from your end users
  • Your own compliance obligations to your regulators
  • Webhook endpoint security
Security review

Need to complete a vendor security review?

We respond to security questionnaires within 2 business days. Our security team is available for calls with your CISO or compliance officer.

Request security docs[email protected]