Built for sensitive financial data
Your counterparties share confidential financial statements, covenant data, and compliance records. CapitalBridge is designed from the ground up with institutional-grade security controls, independent audits, and strict data governance to protect that trust.
Independently verified, not self-assessed
Third-party audits and regulatory frameworks that validate our security posture. These are not marketing checkboxes. They represent ongoing commitments with continuous monitoring and annual re-certification.
SOC 2 Compliant
Security, Availability & Confidentiality
CapitalBridge follows SOC 2 controls for security, availability, and confidentiality. Our infrastructure and operational practices are built to meet the standards that financial institutions expect when handling sensitive portfolio data.
GDPR Compliant
Data Protection by Design
Built with GDPR principles from the ground up. Your counterparties and their data subjects retain all rights including access, rectification, portability, and erasure.
Six layers of protection
Security is not a feature that gets bolted on at the end. Every layer of CapitalBridge, from the network edge to the database row, is designed to protect financial data against unauthorized access, loss, and tampering.
Data Encryption
All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted using AES-256 via Azure platform encryption. Database connections use encrypted channels by default. No plaintext financial data ever leaves the secure boundary.
Authentication
Multi-factor authentication via authenticator app, SMS, or email verification. Sessions are managed through JWT tokens with security stamp validation, so any password change or permission update immediately invalidates all active sessions. Brute-force protection with lockout policies after failed attempts.
Access Control
Four-tier role-based access control: Admin, Manager, Analyst, and Counterparty. Each role has explicit permissions scoped to specific portfolios, counterparties, and actions. Counterparty users only see their own submissions and data. Portfolio managers see only the portfolios they are assigned to.
Audit Logging
Every action is logged with the user, timestamp, and affected entity. Field-level change tracking records the previous and new value for every modification. Submission history captures the full lifecycle from creation through approval. All audit data is exportable for regulatory reporting.
Document Storage
All uploaded documents are stored in Azure Blob Storage private containers. File access uses time-limited SAS tokens that expire after each download session. Storage paths are tenant-isolated, so one organization's documents are never co-located with another's, even at the file system level.
Infrastructure
Hosted on Microsoft Azure with region selection (EU by default). Application secrets and connection strings are stored in Azure Key Vault, never in code or config files. All endpoints enforce HTTPS with anti-forgery token validation on every state-changing request. Regular dependency scanning and patching cycles.
Every change, every field, every user
Regulatory auditors want to know who changed what, when, and what the previous value was. CapitalBridge captures this automatically for every entity in the system, from submission status transitions to covenant threshold adjustments.
- Field-level before/after values on every edit
- Full submission lifecycle (Created, Submitted, Approved, Rejected)
- Exportable audit reports for regulators and internal reviews
- Tamper-proof, append-only log storage
Your data stays yours
We are a data processor, not a data owner. You retain full ownership and control over every document, metric, and record stored in CapitalBridge.
Customer data ownership
All data you or your counterparties upload belongs to you. We do not use customer data for training, analytics, benchmarking, or any purpose beyond operating the platform on your behalf.
No third-party data sharing
Your financial statements, covenant data, and compliance records are never shared with third parties. Sub-processors (Azure hosting, email delivery) are documented in our DPA and limited to infrastructure services only.
Full data export
Export all your data at any time in standard formats. Submissions, documents, financial metrics, audit logs, and user records. No vendor lock-in, no proprietary formats, no fees for data portability.
Data deletion on request
When you end your subscription, we delete all customer data within 30 days. If you need earlier deletion or selective record removal under GDPR, we process those requests promptly with confirmation.
Questions about security?
We are happy to discuss our security architecture, share compliance documentation, or walk through our controls with your IT or compliance team. Reach out directly or schedule a call.