What protects Customer Data on The Big Lease, how we prove it, and where the work is still going. Grounded in implemented controls, not marketing.
When two counterparties negotiate on The Big Lease, their private strategies, BATNAs, AI-Advisor conversations, and redlines are isolated from each other at the database layer through row-level security policies — not UI filters. The AI mediator between them receives bucketed signals only, never raw party strategy. Prompt-level isolation is enforced in the application. Every cross-party access attempt is logged.
Platform fees, subscriptions, payment settlement, and Customer-side lease amortization flow through a double-entry ledger with an append-only trigger. Corrections are posted as reversing entries — no UPDATE, no DELETE. ASC 606 revenue recognition and ASC 842 lessee-side journal exports (NetSuite, SAP, Oracle, Workday formats) are built in. Reconciliation jobs run every 6 hours against the upstream payment processor’s balance transactions.
TLS 1.2+ enforced; HSTS header; no plaintext HTTP endpoints. Data at rest is encrypted by the provider (AES-256). Sensitive columns (SSO signing keys, OIDC client secrets) are additionally encrypted at the application layer. Payment card primary account numbers never touch our systems — our PCI DSS Level 1 payment processor tokenizes them client-side. We operate at PCI SAQ-A scope minimum.
Every API request carries a signed JWT and is authorized via role-based middleware plus row-level security at the database. Multi-factor authentication is required for all administrative access to production. SAML 2.0 and OIDC SSO federation (Okta, Azure AD, Google Workspace) is available for Enterprise Customers, with SCIM 2.0 automatic provisioning. Quarterly access reviews; same-day revocation on role change or termination.
Every privileged mutation writes to an audit log retained for 7 years. Errors flow to a SOC 2 Type II error-tracking platform with a PII scrubber that strips emails, phone numbers, SSNs, card numbers, and auth tokens before transmission. Metrics expose business and operational signals. Structured JSON logging with request-ID correlation across front-end, back-end, and subprocessors.
Daily automated backups with point-in-time recovery; monthly restore validation. Recovery Time Objective 4 hours for Tier 1 critical, RPO 1 hour. Service Level Agreement 99.9% monthly with tiered financial remedies. External uptime monitoring from multiple regions feeds an automated SLA-credit pipeline. Annual BCP tabletop exercise.
Written incident response runbook with P0 through P3 severity definitions, detection sources, containment playbooks (database outage, credential compromise, third-party subprocessor breach, account takeover, ransomware), and blameless postmortems published within 5 business days for P0/P1 incidents. 72-hour Customer notification on confirmed Security Incidents per our Data Processing Agreement.
Every subprocessor carries a SOC 2 Type II (or equivalent), a signed Data Processing Agreement with flow-down terms, and annual security review. 30 days’ advance notice to Enterprise Customers before any new subprocessor begins processing Customer Data. Subprocessor categories are disclosed publicly at /legal/subprocessors; the detailed vendor list is available to Enterprise Customers under mutual NDA.
SOC 2 Type I attestation in progress (Q3 2026 target) with Type II following after a 6–12 month observation period. Annual external penetration testing commencing Q3 2026. Bug bounty program Q4 2026. Cyber liability insurance procured Q2 2026, scaling with revenue and Customer footprint.
We publish the gaps too. SOC 2 Type I targeted Q3 2026 with Type II following through 2027. Annual penetration testing beginning Q3 2026. Cyber liability insurance procured Q2 2026, scaling with revenue. Multi-region deployment for EU data residency available under Enterprise engagements. Bug bounty Q4 2026. These are on the launch checklist and aren’t marketing fiction.