Trust portal
Compliance & Trust
How GeFi handles your data, your audits, and your regulators.
-
Live evidence
trust.gefi.io →
Certifications, audit reports, security policies, and on-demand evidence packs for customers and prospects.
-
Uptime & incidents
status.gefi.io →
Real-time platform status, scheduled maintenance, and historical incident post-mortems.
Compliance posture
- SOC 2 Type II (in progress)
- ISO 27001 (in progress)
- ISO 42001 (in progress)
- GDPR
- CCPA
Live status of our certifications, audits, and policies is published on trust.gefi.io. Customers on the Pro tier and above can request a full evidence pack on demand from inside the dashboard.
Subprocessors
We use a small, intentional set of subprocessors. Material changes are announced on the blog at least 30 days before they take effect.
| Subprocessor | Purpose |
|---|---|
| Cloudflare | Edge compute, DNS, WAF, R2/D1/KV |
| Stripe | Subscriptions and developer payouts |
| Resend | Transactional email |
| Auth0 | Authentication and MFA |
| Sumsub | KYC / KYB verification |
Data handling
- Data residency. US, EU, and MENA regional data planes. Enterprise tenants can pin all data to a single region.
- Encryption. TLS 1.3 in transit. AES-256 at rest. Per-tenant KMS-managed keys on the Enterprise tier.
- Retention. Audit logs are retained for the period required by each model’s jurisdiction (typically 5–7 years). Other data is deleted within 30 days of account closure.
- Access. Role-based access control with MFA enforced for all human access to production. Just-in-time elevation for engineering.
Audit log
Every inference call is appended to a hash-chained log and Merkle-anchored
daily. Anyone with a run_id can fetch a Merkle inclusion proof and verify
it offline against the published anchor — including auditors and regulators
who don’t have an account.
The verification spec is on GitHub.
Per-jurisdiction counsel
For each market we operate in, we maintain a directory of named local counsel and qualified auditors. Customers on the Institutional and Enterprise tiers get the full directory; everyone else gets a summary on request.
| Jurisdiction | Regulator(s) | Status |
|---|---|---|
| US | SEC, FINRA, FinCEN | Counsel engaged |
| UK | FCA, PRA | Counsel engaged |
| EU | ESMA, national NCAs | Counsel engaged (multi) |
| UAE | ADGM FSRA, DFSA | Counsel engaged |
| Singapore | MAS | Engagement in progress |
| Switzerland | FINMA | Engagement in progress |
Reporting a vulnerability
We run a coordinated disclosure programme. Full scope, safe-harbour terms, PGP key, and rules of engagement are on the security & vulnerability disclosure page.
- Email security@gefi.io with details and your PGP key (optional).
- We acknowledge within one business day and aim to triage within three.
- Public disclosure is coordinated; we don’t sue researchers.
- Tooling can discover us via
/.well-known/security.txt(RFC 9116).
Status & history
- status.gefi.io — current uptime and incidents.
- Quarterly security letter — published on the blog.