Security at Debt Digest.
In plain terms: how we keep your data safe, on one page. The technical detail below is written for your security and procurement team: encryption, sub-processors, architecture, certifications, and audit posture. Save this page as PDF and bring it to your security committee.
§ 1 Legal structure
| Field | Value |
|---|---|
| Legal entity | Debt Digest, Inc. Delaware C-Corporation, formed April 2026. EIN issued. |
| Operating role | Technology Service Provider to the creditor, under Reg F §1006.2(e), CFPA §5481(26), and CCPA §1798.140. Debt Digest hosts the data and runs the software; the creditor remains the party of record for any contact with a customer. Debt Digest is not a debt collector. |
| Licensed footprint | The creditor remains the regulated party of record on every account. Debt Digest’s role as a service provider is the same in every state; the state-by-state analysis under the service-provider posture is on /legal for your counsel. |
| Money handling | The customer pays the creditor directly. The creditor remits Debt Digest's platform subscription quarterly. Debt Digest does not hold, route, or custody consumer funds. |
| Counsel of record | Outside compliance counsel listed in the pilot data room. Available on request for vendor-risk review. |
| Insurance | E&O and cyber liability binders Scheduled for first production pilot. Carrier and limits provided on signed NDA. |
§ 2 Control summary
Headline control counts as of the effective date above. Each item is enumerated in § 4 Encryption & controls. Status definitions: Implemented = wired into production code and verifiable in the repository. Scheduled = dated and assigned. Planned = roadmap, not yet scheduled.
Control posture
§ 3 Certifications & audits
Debt Digest does not yet hold an independent SOC 2 attestation. SOC 2 is in progress; compliance certifications scale with the customers we onboard. Sub-processors (§ 7) carry their own current attestations; those are the controls a vendor-risk reviewer should rely on for hosted infrastructure today.
Audit posture today
| Item | Status |
|---|---|
| SOC 2 | In progress |
| Third-party penetration test | In progress |
| Internal vulnerability scanning | Implemented |
| Dependency scanning (CI) | Implemented |
| SSO & SAML federation (Okta, Azure AD) | On the roadmap |
| HIPAA BAA capability | Not in scope for credit-union pilots |
§ 4 Encryption & controls
Verifiable controls. Each row is wired in production code at the effective date and can be inspected by a designated reviewer on signed NDA. Repository: github.com/gvanderwolk/debt-digest-app.
Transport & cryptography
| Control | Implementation | Status |
|---|---|---|
| Transport encryption | TLS 1.3, HSTS preload, no downgrade to TLS 1.1 | Implemented |
| Data at rest | AES-256, managed-Postgres keys, regional KMS | Implemented |
| Password hashing | scrypt (N=2^14, r=8, p=1) + 32-byte salt | Implemented |
| Session tokens | JWT HS256, 4-hour expiry, server-side revocation list | Implemented |
| Webhook signing | HMAC-SHA256, per-creditor secret, replay window 5 min | Implemented |
Application controls
| Control | Implementation | Status |
|---|---|---|
| Security headers | CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy | Implemented |
| Rate limiting | 60 req/min general, 5 req/min auth, progressive lockout | Implemented |
| Input validation | Server-side schema validation on every route, parameterized SQL | Implemented |
| Idempotency | Idempotency-Key header on every payment + placement endpoint | Implemented |
| Tenant scope enforcement | Creditor ID injected from JWT, never from request body | Implemented |
| CORS allowlist | Strict origin allowlist in production; no wildcard | Implemented |
Audit & observability
| Control | Implementation | Status |
|---|---|---|
| Audit log | Append-only, hash-chained per row, CSV export per creditor | Implemented |
| Application logs | Managed log drain, 30-day retention, PII-scrubbed | Implemented |
| Database backups | Managed-Postgres point-in-time recovery, 7-day window, regional replicas | Implemented |
| SIEM forwarding | Log export to creditor SIEM (Splunk, Datadog) via webhook | On the roadmap |
| Secrets management | Hosted env-var scope, no secrets in repository, rotation on offboard | Implemented |
Identity & access
| Control | Implementation | Status |
|---|---|---|
| Role-based access | Roles: consumer, creditor, firm, staff. JWT-bound, server-enforced. | Implemented |
| MFA on staff & creditor admin | TOTP enrollment required on staff accounts; rolling out to creditor admin | Implemented (partial) |
| SSO / SAML | Okta and Azure AD via standard SAML 2.0 metadata | On the roadmap |
| Production DB access | Founder-only today. Break-glass logged. Rotated on every hire. | Implemented |
§ 5 Regulatory coverage
Statutes and rules enforced in product. Each citation maps to a server-enforced behavior, not a policy document.
FDCPA §809(a) Validation notice auto-generated on placement
FDCPA §805(a)(2) Counsel-retained firewall, outreach halt
FDCPA §1692c(c) One-click cease-communication
FDCPA §809(b) 30-day dispute pause
Reg F §1006.6 8am-9pm consumer local time
Reg F §1006.34 Itemization on every offer
NCUA 12 CFR 741.3 120 DPD charge-off boundary (credit unions)
FFIEC URCC 180/120 DPD charge-off boundary (banks)
TSR §310.4(a)(5) Fee-after-settlement
GLBA Safeguards Rule Member-NPI handling
CCPA / CPRA Consumer access & deletion routes
Any consumer-side settlement fee would be gated to “after settlement is reached and the consumer has made the first payment” per TSR. This is enforced at the database layer and cannot be overridden by an operator.
§ 6 Architecture & data flow
Single-region deployment. One origin, one cookie scope, one CSP. Sub-processors are enumerated in § 7.
Network boundary
Single hosted origin (debt-digest.com). No third-party static host, no split-brain. Edge DDoS protection in front.
Tenant isolation
Logical isolation via creditor_id column scoping. Every query gated by a server-side tenant guard. Cross-tenant read is rejected before the database is reached.
Region & failover
US-East single region. Managed-Postgres point-in-time recovery 7 days. RTO 4 hours, RPO 15 minutes. Multi-region replication On the roadmap.
PII scope
Last-4 SSN where identity verification requires it. Full SSN is never requested for servicing. Member NPI scoped to the placing creditor.
§ 7 Sub-processors
Every third party with technical access to creditor or consumer data falls into the categories below. Each named sub-processor is disclosed by name in the diligence packet under NDA and in the pilot agreement.
| Category | Role | Region | Posture |
|---|---|---|---|
| Application compute | Container hosting, deploy pipeline, log drain | US-East | SOC 2 Type II |
| Managed database | PostgreSQL, point-in-time recovery | US-East | SOC 2 Type II |
| Edge / DDoS protection | DNS, edge DDoS protection, WAF | Global | SOC 2 Type II · ISO 27001 |
| Payment processing | PCI-compliant payment processing for success-fee invoicing | Multi-region | PCI-DSS Level 1 · SOC 2 Type II |
| Transactional email and SMS | FDCPA notices and member outreach delivery | US-multi-region | SOC 2 Type II · ISO 27001 |
| Application error tracking | PII scrubbed on capture | US | SOC 2 Type II |
| Source control and CI | Source code and CI/CD with scoped secrets | US | SOC 2 Type II · ISO 27001 |
A signed DPA is in place with every sub-processor that handles PII. The named sub-processor list and links to each sub-processor’s current attestations are provided to creditors under NDA in the diligence packet. New sub-processors trigger 30-day creditor notice per pilot agreement.
§ 8 Funds-flow firewall
Debt Digest is the creditor's technology service provider, not a party to the debt. Money never flows through Debt Digest accounts. This is the single biggest delineator from a third-party debt-collection vendor.
Consumer
Pays the creditor directly through the creditor's existing payment rail.
Creditor
Receives funds. Member-funds firewall
Debt Digest
Quarterly success-fee invoice on incremental cures above baseline.
PCI-compliant payment processing is used only for Debt Digest's invoicing of the creditor. Consumer payment instruments never touch Debt Digest infrastructure; the customer pays the creditor on the creditor's own rail.
§ 9 Data handling & retention
| Topic | Detail |
|---|---|
| Data minimization | Last-4 SSN where identity verification requires it. Full SSN is never collected for servicing. Member-NPI scoped to placing creditor. |
| No sale, no sharing across tenants | PII firewalls enforced at the database query layer via tenant scope. Each creditor sees only its own data. |
| Retention (active accounts) | Life of pilot plus regulatory minimums per FDCPA and applicable state record-keeping rules. |
| Retention (closed accounts) | Anonymized 7 years after closure. Identifiers stripped; transaction history retained for audit only. |
| Creditor export | Full audit log and portfolio data exportable as CSV at any time, no gating. Self-serve from the dashboard. |
| Pilot wind-down | Full data export plus scheduled deletion timeline included in pilot agreement. Default: 30-day cool-down, then irreversible purge. |
| Consumer rights routes | Access, correction, and deletion requests routed through /api/consumer/rights. Verified within 30 days per CCPA / CPRA. |
| Right to dispute | 30-day FDCPA §809(b) window. Collection paused during review. |
§ 10 Incident response
- Detection. Application errors paged via our error-tracking service. Failed-auth spikes alert on the hosted log drain. Anomalous data-export volumes alert on the Postgres slow-query log.
- Containment SLO. First response within 1 hour during business hours, 4 hours after-hours.
- Notification. Written notice to the creditor contact-of-record within 72 hours of detection (GDPR / NCUA-aligned), and earlier if material harm is identified.
- Post-incident report. Within 30 days: root cause, scope, remediation, prevention. Shared as a written report and reviewed on a creditor call.
- Direct access. Creditor's security lead has direct access to the incident-response engineer during the active window. No support-ticket routing.
- Coordinated disclosure. Researchers can report via
/.well-known/security.txtper RFC 9116. PGP key published at the same path.
Security contact: security@debt-digest.com. Out-of-band escalation contact is included in the executed pilot agreement.
§ 11 Access & business continuity
| Item | Posture |
|---|---|
| Production database access | Founder-only today. Credential rotation on every hire. Break-glass logged to the audit table. |
| Background checks | Required for any future hire with production access. SSAE-compliant vendor. |
| Acceptable Use & Code of Conduct | Signed at onboarding. Annual reaffirmation. |
| RTO | 4 hours for full service restoration. |
| RPO | 15 minutes via managed-Postgres point-in-time recovery. |
| Continuity (founder unavailable) | Break-glass access procedure documented with one external trustee. Expanded with first hire. |
| Disaster recovery drill | Annual tabletop. First drill On the roadmap. |
§ 12 Documentation
Linked references for technical reviewers. Each document below is current as of the effective date.
API reference
REST endpoints, JWT auth flow, error codes, rate limits.
Open →Webhook verification
HMAC-SHA256 signature validation, replay window, code snippets.
Open →CSV schema
Placement file format, field definitions, sample file.
Open →Legal & privacy
Privacy policy, terms of service, consumer rights, DPA template.
Open →SLA
Uptime target, response-time commitments, credit schedule.
Open →Status
Live uptime, incident history, scheduled maintenance.
Open →Trust center
Posture page including open questions and regulatory roadmap.
Open →Pilot redlines
Request the pilot-agreement template for counsel review.
Email →