Security & Compliance

    Last updated: February 2026

    Infrastructure Security

    • Encryption at Rest: All data is encrypted using AES-256 encryption. Database backups are also encrypted.
    • Encryption in Transit: All communications are secured via TLS 1.2+ (HTTPS). API requests and bureau transmissions use encrypted channels.
    • SFTP Transfers: Credit bureau file transmissions use SFTP (SSH File Transfer Protocol) with encrypted credentials stored using industry-standard encryption.
    • SOC 2 Type II Certified Infrastructure: Our infrastructure providers (Vercel, Supabase) maintain SOC 2 Type II certification, ensuring continuous security monitoring and controls.

    Access Controls

    • Role-Based Access Control (RBAC): Company-level access controls with admin and user roles. Row Level Security (RLS) ensures data segregation at the database level.
    • Multi-Factor Authentication (MFA): Support for MFA via authenticator apps for all user accounts.
    • API Key Authentication: Secure API key management with hashed storage and per-company scoping.
    • Audit Trail: Comprehensive field-level audit logging tracks all changes to credit reporting records, including who made changes, when, and what was modified.

    Regulatory Compliance

    • FCRA (Fair Credit Reporting Act): Full dispute management workflow with automated 30-day deadline tracking, resolution workflows, and compliance documentation. All disputes are tracked from receipt through resolution.
    • Metro 2 Format Compliance: Generated files conform to the CDIA Metro 2 Format specification with automated validation, error detection, and field-level compliance checks.
    • GLBA (Gramm-Leach-Bliley Act): Data protection measures including encryption, access controls, and data segregation are in place to protect consumer financial information.
    • CCPA (California Consumer Privacy Act): Data deletion API available for consumer data removal requests. Configurable data retention policies per company.
    • CFPB Readiness: Our dispute management, audit trail, and compliance monitoring features align with CFPB supervision expectations for data furnishers.

    Data Handling & Retention

    • Data Segregation: Each company's data is isolated at the database level using Row Level Security policies. No company can access another company's records.
    • Configurable Data Retention: Companies can configure retention periods for credit reporting records. Automated cleanup processes purge data beyond the retention window.
    • Data Deletion: API endpoint available for programmatic data deletion requests in compliance with CCPA and similar regulations.

    Service Level Agreement

    • 99.9% Uptime Target: Backed by enterprise-grade infrastructure with automatic failover and global CDN distribution.
    • Automated Monitoring: Real-time monitoring with alerting for API availability, response times, and error rates.

    Breach Notification Policy

    In the event of a confirmed data breach affecting customer data, Switch Labs will:

    1. Notify affected customers within 72 hours of breach confirmation.
    2. Provide a detailed incident report including the nature of the breach, data affected, and remediation steps taken.
    3. Cooperate with regulatory authorities as required by applicable law.
    4. Offer credit monitoring services to affected individuals when personally identifiable information is compromised.

    Vulnerability Management

    • Regular dependency security audits and automated vulnerability scanning.
    • Responsible disclosure program for security researchers.
    • Incident response procedures with defined escalation paths.

    Contact

    For security inquiries or to report a vulnerability, please contact us at security@switchlabs.dev.