Security Practices
LedgerLink is built to securely integrate digital assets with banking infrastructure. We combine best-in-class cloud architecture, strong cryptography, continuous monitoring, and rigorous vendor and compliance controls to protect customer funds and data.
LedgerLink undergoes rigorous independent third-party SOC 2 Type II audits conducted by a reputable certified public accountant (CPA) firm to certify individual products on a regular basis. To request a copy of our SOC 2 Type II report please access our Trust Center.
Infrastructure & cloud
- We deploy on major cloud providers following the Shared Responsibility Model.
- Production workloads use multi-AZ architecture, encryption at rest, automated backups, and monitoring.
- Multi-AZ, automated backups, snapshots retention policies and tested recovery procedures.
- Infrastructure as Code (IaC) with peer-reviewed changes and automated policy checks.
- Network segmentation, least-privilege security groups, and VPC flow logging.
Cryptography & key management
- We use industry-standard algorithms and managed key storage.
- Data at rest: AES-256 (GCM / XTS where appropriate).
- Data in transit: TLS 1.2 minimum; TLS 1.3 preferred with ECDHE key exchange and modern ciphers.
- Key storage & management via HSM / cloud KMS with role-based access and key rotation policies.
- Hashing: SHA-256 / SHA-384 for integrity; deprecated algorithms are not used (no MD5, SHA-1, DES, 3DES).
Identity, access & authentication
- Single sign-on (SAML / OIDC) with centralized identity provider (IdP).
- Multi-factor authentication (MFA) for all privileged accounts.
- Role-based access control (RBAC), least privilege, and regular access reviews.
- Break-glass emergency procedures and documented step-down access control.
Secure development & vulnerability management
- Secure SDLC: threat modeling, code reviews, and automated static analysis for all changes.
- Third-party dependency scanning, periodic SCA reports, and patching cadence.
- Regular internal and external penetration testing and remediation tracking.
Monitoring, logging & detection
- Centralized logging and 24/7 alerting for critical events.
- Endpoint detection, anomaly detection, and automated alert escalation.
- Retention of security logs per policy (auditable and aligned with retention matrix).
People & culture
- Security is everyone's responsibility. We apply HR best practices to minimize personnel risk.
- Background checks for employees with privileged access where permitted by law.
- Role-based security training and mandatory onboarding security modules.
- Quarterly security refreshers, and secure coding training for engineers.
Data protection & privacy
We minimize data collection, classify data sensitivity, and apply controls appropriate to classification levels. We comply with applicable privacy laws (CCPA, GDPR, etc.).
Data Subject Requests and DPAs are handled via our legal and compliance teams; customers can request a copy of our DPA or privacy practices via privacy@ledgerlink.ai.
Business continuity & Incident response
We maintain documented BCP and DR plans, runbooks for failover, and periodic DR tests. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) defined per system.
Multi-region deployments and tested failover plans for critical services. IR playbooks (detection, containment, eradication, recovery, communication).
Customer notification procedures and regulatory reporting aligned to jurisdictional obligations. We maintain a coordinated vulnerability disclosure program. Security researchers may contact security@ledgerlink.ai.
Compliance, audits & attestations
LedgerLink maintains a rigorous compliance program and undergoes regular third-party assessments. Attestations and detailed audit reports are available to customers under NDA.
Vendor risk management program: vendors are classified, assessed, and reviewed annually. Available evidence provided under NDA where necessary.