Security & Compliance
Groundwork. is built for community development financial institutions. We take data security, regulatory compliance, and borrower privacy seriously — so your team can focus on lending.
✓ GLBA Compliant
✓ CCPA Compliant
✓ NY SHIELD Act Compliant
✓ NCUA Third-Party Ready
✓ SSL Encrypted
- Social Security Numbers or Tax ID Numbers
- Credit reports or credit scores (borrowers self-report ranges only)
- Bank account numbers, routing numbers, or financial account credentials
- W-2s, 1099s, or actual tax return documents
- Personal financial account statements or investment records
- Passwords or authentication credentials beyond our own platform login
- Payment card numbers or banking information
The separation of duties: Groundwork. collects borrower self-reported readiness data. Your loan officers collect and verify the actual financial documents. These two sides never mix on our platform — keeping your institution in full control of sensitive member data.
✓
SSL/TLS EncryptionAll data in transit encrypted via HTTPS. TLS 1.2+ enforced across all connections.
✓
Encrypted at RestPostgreSQL database encrypted at rest on Railway's managed infrastructure.
✓
Secure AuthenticationBcrypt password hashing. Session-based authentication with secure HTTP-only cookies.
✓
Data IsolationEach organization's borrower data is isolated. Loan officers only see their own clients.
✓
No Data SellingGroundwork. never sells, shares, or monetizes borrower or institution data. Ever.
✓
Right to DeletionBorrowers can delete their account and all associated data at any time with one click.
✓
Managed InfrastructureHosted on Railway — SOC 2 Type II compliant infrastructure with 99.9% uptime SLA.
✓
Email SecurityTransactional email via Resend — no marketing tracking pixels in compliance emails.
GLBA
Gramm-Leach-Bliley Act — we maintain appropriate safeguards for any nonpublic personal information handled on the platform.
✓ Compliant
CCPA
California Consumer Privacy Act — users have the right to access, delete, and opt out of data collection at any time.
✓ Compliant
NY SHIELD Act
New York Stop Hacks and Improve Electronic Data Security Act — reasonable administrative, technical, and physical safeguards in place.
✓ Compliant
NCUA Third-Party
Designed to meet NCUA third-party vendor due diligence requirements per guidance letters 07-CU-13 and 01-CU-20.
✓ Ready
Fair Lending
Groundwork. does not make lending decisions. All credit decisions remain with your institution — eliminating algorithmic fair lending risk.
✓ No AI Credit Decisions
BSA / AML
Groundwork. does not process financial transactions or hold member funds. BSA/AML compliance responsibility remains with your institution.
✓ Not Applicable
📁
NCUA Vendor Due Diligence Package
We understand that your compliance team needs documentation before approving a new third-party vendor relationship. The following documents are available upon request to support your institution's due diligence process.
📄
Operations Agreement
Master services agreement covering scope, responsibilities, data ownership, and termination rights.
Request document →
🔒
Security Overview
Technical security controls, encryption standards, access controls, and incident response procedures.
Request document →
🛡️
Privacy Policy
Complete data collection, use, retention, and deletion practices for borrowers and institutions.
View Privacy Policy →
📊
Business Continuity Plan
Disaster recovery procedures, data backup policies, and service restoration commitments.
Request document →
⚖️
Implementation SOW
Statement of work covering onboarding, deliverables, timeline, and acceptance criteria.
Request document →
📈
Service Level Agreement
Uptime commitments, support response times, and performance standards by plan tier.
Request document →