Security
How we build, operate, and protect the Tranched platform.
Tranched is built on structured finance infrastructure that handles sensitive financial and personal data on behalf of our clients. Security is embedded into every layer of how we build, operate, and manage our platform.
Certifications and Compliance
Tranched is pursuing SOC 2 Type II attestation and ISO/IEC 27001 certification, conducted by an accredited external audit partner. Our security programme is designed to meet the full requirements of both frameworks.
Our compliance programme is backed by a formal Information Security Management System (ISMS) covering all business operations across our offices in the United Kingdom, France, and the Netherlands, and all cloud infrastructure supporting the Tranched platform.
We comply with UK GDPR and EU GDPR as a data controller and, where applicable, as a data processor under client Data Processing Agreements.
Infrastructure Provider Certifications
Tranched's production infrastructure runs on Google Cloud Platform (GCP), which independently holds the following certifications covering the underlying infrastructure layer:
SOC 2 Type II
ISO/IEC 27001
ISO 22301 (Business Continuity Management)
These certifications apply to GCP's infrastructure and do not represent Tranched's own certifications. Tranched's certifications are those listed above.
Data Protection and Privacy
All client data processed by Tranched is classified and protected according to its sensitivity. We operate a three-tier data classification scheme — Confidential, Restricted, and Public — with strict handling requirements for each tier.
Personal data is processed only on a lawful basis and in accordance with applicable data protection law. Clients whose data Tranched processes as a data processor are protected by a formal Data Processing Agreement (DPA). Data subject rights requests — including access, erasure, and portability — are handled within the timeframes required by UK GDPR and EU GDPR.
Client personal data is retained for the duration of the applicable service agreement and deleted within the period specified in the DPA following contract termination.
Sub-processors
Tranched engages the following sub-processors to process client personal data in connection with the delivery of its services. All sub-processors are bound by Data Processing Agreements and are required to implement appropriate technical and organisational security measures.
Infrastructure and Hosting
Tranched's production infrastructure is hosted on Google Cloud Platform (GCP) in the EU (Belgium, europe-west1 region). Backup infrastructure is maintained on Hetzner (Germany). All production data remains within the European Economic Area.
We operate strictly segregated environments for development, testing, staging, and production. Client data is never used in non-production environments.
Access Control
Access to Tranched systems is governed by the principle of least privilege. All personnel are granted only the minimum access required to perform their job function, managed through role-based access controls.
Multi-factor authentication (MFA) is enforced across all critical systems and required for all privileged access to production infrastructure. Access rights are reviewed on a semi-annual basis and revoked within 24 hours of any personnel departure.
Client access to the Tranched platform is managed through OAuth-based authentication supporting Google and Microsoft identity providers. Each client organisation has its own tenant-level access, ensuring logical separation of data between clients.
Encryption
All data in transit over public networks is encrypted using TLS 1.2 at minimum, with TLS 1.3 preferred. Unencrypted protocols are prohibited for transmitting any sensitive data.
All confidential and restricted data stored on Tranched infrastructure is encrypted at rest using AES-256 or equivalent. Production databases are encrypted at rest using customer-managed encryption keys (CMEK) on GCP. All endpoint devices used by Tranched personnel are required to have full disk encryption enabled.
Cryptographic keys and secrets are managed through a dedicated secrets management platform, subject to a defined rotation schedule. Private keys are never stored in plaintext or committed to source control.
People Security
All personnel undergo background screening prior to being granted access to Tranched systems. Screening is conducted before the commencement of employment or engagement, with enhanced checks applied to roles with privileged access to production infrastructure.
Security awareness training is completed by all personnel at onboarding and annually thereafter. Engineers additionally complete annual secure development training covering the OWASP Top 10 and vulnerability classes relevant to Tranched's technology stack. Completion is tracked centrally.
All system access is provisioned only after personnel have completed onboarding requirements, including acknowledging Tranched's security policies. Upon departure, all access across all systems is revoked and company devices are returned and wiped. Post-termination confidentiality obligations are enforced through employment and contractor agreements.
Secure Development
Security is built into our development process from the start. All code changes are developed in isolated branches, require peer review and automated testing before merge, and follow a documented release checklist before production deployment.
Our engineering team completes annual security training covering the OWASP Top 10 and vulnerability classes relevant to our technology stack. Dependency vulnerability scanning is integrated into our CI/CD pipeline, with defined remediation timelines based on severity.
Tranched's systems undergo annual external penetration testing by a qualified security provider. Findings are reviewed and tracked to remediation.
Vendor and Supply Chain Security
All third-party suppliers are assessed for security risk before onboarding and monitored throughout the relationship. We apply a tiered due diligence process based on each vendor's access to sensitive data and critical systems — requiring SOC 2 Type II or ISO 27001 certification (or equivalent) for our most critical suppliers, and Data Processing Agreements for all vendors processing personal data on our behalf.
We assess exit and migration risk for all critical vendors prior to onboarding, including data portability and the availability of alternative providers.
Incident Response
Tranched maintains a documented incident response plan covering detection, classification, containment, recovery, and post-incident review. Incidents are classified from P0 (critical) to P3 (low), with defined response and resolution targets for each severity level.
In the event of a personal data breach, we notify the relevant supervisory authority within 72 hours of becoming aware, in accordance with UK GDPR and EU GDPR requirements. Affected data subjects are notified without undue delay where required.
Security incidents or concerns can be reported to us at contact@tranched.fi.
Business Continuity
Tranched maintains a Business Continuity and Disaster Recovery (BC/DR) plan covering all critical systems and services. Our platform commits to 99% availability per calendar month, with defined recovery time objectives for each critical system.
Recovery capabilities are validated through an annual disaster recovery test. All business-critical workloads are designed for failover, with standby infrastructure maintained and tested. As a remote-first company, no single physical location is critical to our operations.
Questions
If you have questions about our security programme or would like to request further information as part of your own due diligence process, please contact us at contact@tranched.fi.