Security & Compliance — Groundwork.

🔒

What We Never Collect

Groundwork. is a loan readiness tool — not a lender. We never touch sensitive financial data.

Social Security Numbers or Tax ID Numbers
Credit reports or credit scores (borrowers self-report ranges only)
Bank account numbers, routing numbers, or financial account credentials
W-2s, 1099s, or actual tax return documents (Document Intelligence scans for financial data only — raw documents are never stored permanently or shared beyond your loan officer)
Personal financial account statements or investment records
Passwords or authentication credentials beyond our own platform login
Payment card numbers or banking information

The separation of duties: Groundwork. collects borrower self-reported readiness data. Your loan officers collect and verify the actual financial documents. These two sides never mix on our platform — keeping your institution in full control of sensitive member data.

🛡️

Data Security

Enterprise-grade security built on Railway's managed infrastructure

✓

SSL/TLS EncryptionAll data in transit encrypted via HTTPS. TLS 1.2+ enforced across all connections.

✓

Encrypted at RestPostgreSQL database encrypted at rest on Railway's managed infrastructure.

✓

Secure AuthenticationBcrypt password hashing with salted rounds. Session-based authentication with secure HTTP-only cookies. Two-factor authentication (email OTP) live for all user accounts.

✓

Data IsolationEach organization's borrower data is isolated. Loan officers only see their own clients.

✓

No Data SellingGroundwork. never sells, shares, or monetizes borrower or institution data. Ever.

✓

Right to DeletionBorrowers can delete their account and all associated data at any time with one click.

✓

Managed InfrastructureHosted on Railway — SOC 2 Type II compliant infrastructure with 99.9% uptime SLA.

✓

Email SecurityTransactional email via Resend — no marketing tracking pixels in compliance emails.

✓

Document IntelligenceAI document scanning extracts financial data only — raw documents are never stored permanently. Extracted data is isolated per institution and borrower. All extractions flagged with confidence scores for LO verification.

⚡

Service Level Agreement

Our commitments to your institution

99.9%

Platform Uptime

<24hr

Support Response

∞

Borrower Capacity

📋

Regulatory Compliance

Designed with CDFI and credit union compliance requirements in mind

GLBA

Gramm-Leach-Bliley Act — we maintain appropriate safeguards for any nonpublic personal information handled on the platform.

✓ Compliant

CCPA

California Consumer Privacy Act — users have the right to access, delete, and opt out of data collection at any time.

✓ Compliant

NY SHIELD Act

New York Stop Hacks and Improve Electronic Data Security Act — reasonable administrative, technical, and physical safeguards in place.

✓ Compliant

NCUA Third-Party

Designed to meet NCUA third-party vendor due diligence requirements per guidance letters 07-CU-13 and 01-CU-20.

✓ Ready

Fair Lending

Groundwork. does not make lending decisions. All credit decisions remain with your institution — eliminating algorithmic fair lending risk.

✓ No AI Credit Decisions

BSA / AML

Groundwork. does not process financial transactions or hold member funds. BSA/AML compliance responsibility remains with your institution.

✓ Not Applicable

📁

NCUA Vendor Due Diligence Package

We understand that your compliance team needs documentation before approving a new third-party vendor relationship. The following documents are available upon request to support your institution's due diligence process.

📄

Operations Agreement

Master services agreement covering scope, responsibilities, data ownership, and termination rights.

Request document →

🔒

Security Overview

Technical security controls, encryption standards, access controls, and incident response procedures.

Request document →

🛡️

Complete data collection, use, retention, and deletion practices for borrowers and institutions.

View Privacy Policy →

📊

Business Continuity Plan

Disaster recovery procedures, data backup policies, and service restoration commitments.

Request document →

⚖️

Implementation SOW

Statement of work covering onboarding, deliverables, timeline, and acceptance criteria.

Request document →

📈

Service Level Agreement

Uptime commitments, support response times, and performance standards by plan tier.

Request document →

🗺️ Security Roadmap
We are actively building toward enterprise-grade security features requested by our CDFI and credit union partners. Below is our committed roadmap.

LIVE ✓

🔐 Two-Factor Authentication

Email-based OTP (one-time passcode) is live for all borrower accounts. Upon sign-in, a 6-digit verification code is sent to the user's email — valid for 10 minutes. Session is only created after code verification.

✓ Shipped April 2026

PLANNED

📋 SOC 2 Type II Audit

Formal SOC 2 Type II certification through an accredited auditor. Covers security, availability, and confidentiality trust service criteria. Report available to institutional partners upon request.

TARGET: Q4 2026

PLANNED

🔑 Single Sign-On (SSO)

SAML 2.0 and OAuth SSO integration for institutions using Microsoft Azure AD, Google Workspace, or Okta. Staff log in with their existing institutional credentials — no separate Groundwork. password required.

TARGET: Q1 2027

PLANNED

📊 Audit Log & Access Controls

Full audit trail of all staff actions — who accessed what, when, and what changed. Role-based access controls (RBAC) with admin, loan officer, and read-only permission tiers. Exportable for NCUA exam review.

TARGET: Q1 2027

Questions about compliance or security?

We're happy to schedule a compliance call with your team, provide additional documentation, or answer any questions about how Groundwork. fits into your institution's vendor management program.

Contact Jerome →