We hold our security posture to the bar a CPA firm and a denominational board ask about — not the bar a small-business SaaS gets away with.

Identity

• MFA enforced by default for every user.
• SAML 2.0 and OIDC SSO on the Firm plan; per-workspace IdP configuration.
• SCIM 2.0 provisioning for Okta, Google Workspace, Microsoft Entra, and any conformant IdP.
• Break-glass workspace-owner account isolated from SSO, MFA-locked.

Access control

• Role-based access control with workspace and per-entity scopes (see product overview).
• Segregation of duties enforced in code: e.g., bill creators cannot approve their own bills.
• Configurable approval thresholds; dual approval for bills above a per-tenant amount.
• Anti-BEC vendor bank-info change controls: 2-of-3 named approvers + 24-hour cool-down.

Data protection

• Encryption in transit: TLS 1.3 minimum, modern cipher suites only.
• Encryption at rest: AES-256, application-layer envelope encryption for sensitive fields (TINs, SSNs, bank account numbers).
• Per-entity database isolation; per-tenant least-privileged Postgres role.
• Card data: never stored, transmitted, or processed by steepl. PCI SAQ A.
• Sensitive fields scrubbed from logs (TIN, SSN, full account number, donor PII bodies).

Cryptography

• Period-close anchors signed in AWS KMS (Frankfurt, FIPS 140-3 Level 3 HSM-backed) and stored in WORM-locked object storage.
• Per-tenant data-encryption keys derived from a KMS-protected KEK via HKDF.
• Signing keys never leave the HSM; signature verification uses the public key embedded in each anchor.
• OIDC federation from Hetzner to AWS — no long-lived AWS credentials live on our compute hosts.

Auditability

• Append-only audit log per tenant; append-only global audit summary in the control plane.
• Posted journal entries are immutable and form a SHA-256 chain; period close emits a signed Merkle root.
• Customer-controllable audit-log export.
• Stand-alone verifier CLI re-derives the chain and verifies anchors — handed to auditors for independent review.

Network and transport

• Caddy at the edge with automatic Let's Encrypt certificates. HSTS preload.
• Postgres bound to the private network only; never publicly reachable.
• SSH key-only, IP-allowlist; fail2ban; no password authentication anywhere.
• Strict CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

Operations

• Secrets in OpenBao (self-hosted) auto-unsealed via AWS KMS Transit.
• No production secrets in source. Configuration via environment with per-host scope.
• Quarterly access reviews; annual third-party penetration testing once revenue supports.
• Per-tenant restore drills run monthly against random tenants in staging.

Compliance roadmap

• SOC 2 Type I within 6 months of GA; Type II within 12 months. Evidence collection via Vanta from day one.
• PCI SAQ A — we never touch card data.
• GDPR / CCPA — data resident in Germany (Hetzner Falkenstein); deletion + export honored within 30 days.
• HIPAA — not in scope today. Tracked for V2 if benevolence/counseling notes become material.
• ISO 27001 — reviewed for tier 3 (≥1,000 tenants) if denominational customers require.

Vulnerability disclosure

Email security@steepl.co. PGP key available in our security.txt. We acknowledge responsible disclosures on this page once the issue is resolved.

Acknowledgments: none yet. We're early.