string
Security & Trust

Built for the side your audit sits on.

StringIO is pre-GA and we say so. Here are our controls and our compliance posture as they stand today, written as status and targets, not earned badges.

Compliance posture
SOC 2 Type II · in progress
controls designed, audit underway
PCI DSS on the roadmap
scope stays at the platform edge
Sponsor bank in discussion — not yet in place
named under NDA once secured
Pre-GA, stated plainly no badge we haven't earned
no claim we can't back
Secure by construction
Data

PAN never crosses your stack

Card data is tokenized at the platform edge. Your systems handle tokens, not PANs. PCI scope stays at the platform boundary, not in your application.

Money

Fail-closed by default

Every guard refuses rather than clamps. A bad request errors instead of silently settling wrong. Idempotency on every write makes retries safe and intent exactly-once.

Evidence

A signed, replayable close

A cryptographically-signed daily attestation, deterministic and replayable across the full chargeback and restatement tail. Every disputed event reconstructs to a one-click evidence pack.

Screening

Compliance in the authorization

OFAC, AML, 3DS and Reg-E timers run inside the auth path, not as an afterthought. Every action writes to an immutable governance ledger.

Get started

Talk to our security team.

Want the detail? We'll walk your security and compliance team through the architecture and the roadmap. Ask for the security overview.