Trust Center

What we know. What we're working on. Where the gaps are.

In plain terms: an honest snapshot of what Debt Digest can prove today, and what is still in progress.

This page is for the compliance and risk officer who has to sign off on us. We will not pretend the SOC 2 is finished, that licensing covers every state, or that our break-glass procedure is mature. Below is exactly where we stand, dated, with the documents you would need to redline our pilot agreement.

Printable vendor packet Ask a question
Service provider · lender stays party of record Charge-off aligned · NCUA & FFIEC SOC 2 in progress
The four commitments

What we will not change on you mid-pilot.

These are the institutional anchors. Everything else on this page is qualified by date and status. These four are not.

Member funds never touch us

Consumers pay you. You remit our fee on a quarterly invoice. We never custody member funds. As your technology service provider, we host the data and run the software; you stay the party of record.

FDCPA + Reg F by construction

Validation notices auto-generate at placement. Time-of-day windows enforced server-side. Counsel firewall halts outreach on detection. We cannot bypass these; they're wired into the code path.

Append-only audit log, exportable

Every state change emits a tamper-evident log entry. You can export the full chain for your portfolio in CSV at any time, with no gating and no notice required.

72-hour breach notification

If we detect an incident that may affect your data, you hear from us in writing within 72 hours of detection. Post-incident report within 30 days. Direct line to the on-call engineer during the active window.

Where we are on the journey

Regulatory posture, today.

We are mid-stream on SOC 2 attestation and committed to additional certifications as we onboard customers who require them. State licensing expansion follows pilot footprint.

Service provider, lender stays party of record
Debt Digest hosts the data and runs the software; the lender is the regulated party of record on every account. The state-by-state analysis under this posture is on /legal for your counsel.
SOC 2 in progress
Audit engagement is active. Status updates published on this page as they land. Compliance certifications scale with customer requirements.
Counsel of record engaged
Outside compliance counsel engaged. Counsel name is published once the engagement letter is countersigned.
Pen test on the program
Third-party penetration test on the program before first production pilot. SSO and SAML federation on the roadmap.
State licensing posture

State-by-state, where we can operate today.

Debt Digest is the creditor's technology service provider, not a third-party debt collector; the creditor stays the party of record. The state-by-state analysis under that posture is in progress with counsel. Where a state may still reach our conduct, or where we have not yet evaluated the licensing path, we say so. The full federal and state analysis lives on /legal.

State Posture Notes
Texas Live Service provider to the creditor of record; the creditor stays the regulated party. Primary pilot footprint. Conduct-line analysis under Tex. Fin. Code Ch. 392 in progress with counsel.
Georgia Live Service-provider posture; creditor is the party of record. Conduct-line analysis under O.C.G.A. § 7-3-26 in progress with counsel.
Ohio Live Service-provider posture; creditor is the party of record. Conduct-line analysis under Ohio Rev. Code Ch. 1349 in progress with counsel.
Florida Evaluated Bond and notice requirement under Fla. Stat. § 559.553 evaluated. Filing path scoped; we file once a Florida pilot creditor is signed.
North Carolina Evaluated Permit requirement under N.C. Gen. Stat. § 58-70-1 et seq. evaluated. Counsel opinion on whether the service-provider posture reaches our conduct pending.
New York Evaluated NYC Department of Consumer Worker Protection license required for any borrower contact in NYC. Filing path scoped, not yet submitted. We will not place NY accounts before license is in hand.
California Evaluated CA Debt Collection Licensing Act (DCLA) applicability under review with counsel. The service-provider posture may place us outside the definition; we will not assume until the opinion lands.
All other states Following pilots License path is evaluated when a pilot creditor in that state is signed. We do not pre-clear states speculatively because counsel cost compounds without revenue.

Last reviewed by outside counsel . Reviewed quarterly or on any state regulatory action, whichever is sooner.

Open questions we are willing to be asked

The questions we want compliance officers to ask first.

If a vendor doesn't surface these for you, they're either young enough not to have thought about them or mature enough to be hiding them. We are the first. Here are the honest answers.

Who has production database access today?
Founder only, until the first hire. Credentials rotate on every new hire. Break-glass procedure is documented with one external trustee and will expand when the team does. This is small-team posture, not best-practice posture, and we name it as such.
What happens if hosted compute or our managed database has an outage?
Runbook is published. Target RTO is 4 hours; RPO is 15 minutes via managed-Postgres point-in-time recovery. We have not yet tested a full region-loss restore against a clean infrastructure rebuild; that exercise is scheduled before first production pilot go-live.
What happens if the founder is unavailable?
Break-glass access is documented with one external trustee. Continuity is single-point-of-failure-bound until the first engineering hire. We disclose this in the pilot agreement; we do not paper it over.
Can we run a penetration test before signing?
Yes. We will coordinate with your preferred firm, cover standard scope, and accept reasonable remediation conditions in the pilot agreement. We expect this; the pen test is itself part of our pre-production checklist.
What is your E&O insurance coverage today?
We are sourcing professional liability and cyber-incident coverage now, gated by entity formation completion. We expect $1M / $2M aggregate at first bind; we will share the binder with the pilot agreement. Today: not yet bound. Stating this directly is the point of this page.
Have you been the subject of a regulatory complaint?
No. As of this writing we have placed zero accounts in production. We will publish complaint counts here from the day a first complaint arrives, with date and resolution, per quarter.
Known gaps and what we are doing

The work in progress, named.

A vendor who claims no gaps is a vendor who hasn't audited themselves. Here are ours, what's in motion, and when we expect each to clear.

SOC 2 attestation
SOC 2 is in progress. We are not attested today and will not market as if we were. Status updates appear on this page as they land.
SSO and SAML federation
On the roadmap. Until then, creditor users authenticate with JWT-backed sessions (4-hour expiry, scrypt-hashed passwords). Not enterprise-grade for federated identity; named as such.
Continuous penetration testing cadence
A third-party pen test lands before any real account data is in the system, with continuous cadence thereafter. We have not yet completed a paid external pen test as of today.
Multi-region disaster recovery
Single-region today (US-East). Multi-region active-passive is on the roadmap; we will not pretend we have it today. Point-in-time recovery and tested backups are in place for the single region.
Formal third-party risk program
Hosted infrastructure runs on SOC 2 Type II sub-processors across compute, managed database, edge, payment processing, transactional email and SMS, and error tracking. The formal vendor-risk-management policy with annual review attestations lands with SOC 2 fieldwork.
Dedicated CISO or compliance officer
Founder-led today. The Chief Compliance Officer role is in the post-pilot hiring plan and is a hard prerequisite before scaling beyond pilot. Outside compliance counsel is engaged in the meantime.
Counsel of record & statute index

Who supervises this, and which statutes we operate under.

Pilot agreement redlines are welcome. Our counsel and your counsel speak directly during diligence; we don't sit between them.

Counsel of record

Outside compliance counsel engaged for FDCPA, Reg F, charge-off timing (NCUA 12 CFR 741.3 for credit unions, FFIEC URCC for banks), and state-licensing matters. Firm name disclosed under NDA during diligence to avoid pre-engagement marketing on the firm's brand.

Redline our pilot agreement

Send your standard markup to legal@debt-digest.com. We turn redlines within five business days and route any non-trivial change through outside counsel.

Statute index

FDCPA §809(a) Validation notice on placement FDCPA §805(a)(2) Counsel firewall FDCPA §1692c(c) Cease-communication, one-click Reg F §1006.6 Outreach time-of-day windows Reg F §1006.34 Settlement-offer itemization NCUA 12 CFR 741.3 120-DPD charge-off boundary (credit unions) OCC / FFIEC 180-day charge-off boundary (banks) TSR 16 CFR 310 Fee-after-settlement, consumer-side RFC 9116 security.txt and PGP key

Transport & infrastructure controls

TLS 1.3 All traffic encrypted in transit HSTS Strict-Transport-Security enforced Hosted compute SOC 2 Type II sub-processor Managed Postgres SOC 2 Type II sub-processor

For the printable one-page packet with the encryption controls and sub-processor categories, see /security.

Changelog

What changed on this page, when.

Material edits to commitments, licensing posture, or counsel are dated below. Cosmetic edits are not.

Effective
Review cadence
Quarterly
Owner
compliance@debt-digest.com
v1.32026-05-18: Restructured page from a single-column control list into the honest open-questions format. Added state-licensing table, gaps section, and counsel block. Moved the printable control summary to /security.
v1.22026-04-21: Added 72-hour breach notification commitment to the four institutional pillars. Refreshed compliance posture.
v1.12026-04-08: Added state-by-state posture list (TX, GA, OH). Confirmed payment-flow firewall: consumer → creditor → DD.
v1.02026-04-06: Initial publication alongside the accessibility and compliance hardening sprint.
Documents

For diligence, procurement, and integration.

If you need the printable vendor packet, start at /security. The tiles below cover everything else compliance and engineering will likely ask for.

Vendor packet

Printable one-pager. Encryption, sub-processors, controls.

Open →

API reference

Endpoints, authentication, error codes, sample payloads.

Open →

Webhook verification

HMAC-SHA256 signature validation. Retry policy. Event schema.

Open →

Legal & privacy

Terms of service, privacy policy, member rights, data export.

Open →
Data handling and incident response

How member data moves through us, and what happens if something breaks.

The printable controls list lives on /security. The posture statements below describe what we will and will not do with your members' data.

FDCPA §809 Validation Reg F §1006.6 Quiet hours FDCPA §805(a)(2) Counsel firewall

Member data flows through one tenant boundary per creditor.

PII firewalls are enforced at the database query layer, not application policy. A creditor cannot read another creditor's members. We never sell data. We never share member PII across pilots. Minimum-necessary is the rule: last-4 SSN where ID verification requires it; full SSN never requested for servicing. Closed accounts anonymized after 7 years per FDCPA record-keeping norms. Creditors can export their full audit log and portfolio in CSV at any time, with no gating.

GDPR / NCUA 72-hour notice RFC 9116 security.txt

If we detect an incident, you hear from us in writing within 72 hours.

Post-incident report within 30 days covers root cause, scope, remediation, and prevention. You get direct access to the on-call engineer during the active window. Security contact: security@debt-digest.com. PGP key at /.well-known/security.txt.

Bring your hardest compliance question.

We would rather you ask now and walk away than learn the answer in month three of a pilot. If we have not addressed it on this page, send it directly.

Ask compliance@debt-digest.com Or download the printable packet