Trust & security

Designed for regulated cross-border flows. Non-custodial by architecture, audit-ready by default.

Posture summary

Certifications & standards

In progress. Targeted attestation completion in Q4.

Roadmap. Aligned to controls; certification scheduled post-pilot.

EU data residency by default. Data Processing Agreement available on request.

Out of scope by design. Bridge does not store card data; payment instruments remain with regulated partners.

Bridge does not custody funds. Regulated partners execute regulated legs and hold funds throughout settlement.

Compliance, sanctions, KYB/KYC, and corridor rules evaluated before funds move.

TLS 1.3 for all API traffic. AES-256 at rest. Secrets managed via cloud KMS with rotation.

Event-based logging with timestamps, leg-by-leg status, and exportable payloads for reconciliation.

Maker/checker workflows for sensitive operations. API keys scoped per integration.

24h initial response SLA for security reports. Public status page for operational events.

Vendors that process customer or transaction data on our behalf. Updated as our infrastructure evolves.

VendorPurposeRegion

Cloud infrastructureCompute, database, object storageEU

Email deliveryTransactional and operational notificationsEU

VerificationBot mitigation on public formsEU

Status pagePublic operational statusEU

Email security@ultrasoft.app. We acknowledge within 24 hours and coordinate disclosure for anything material.

Deploy in a controlled corridor and evaluate routing, cost, and execution performance.