Security

Built for institutions
that can't afford to compromise.

Trade finance runs on trust. SCFPro is designed to protect every document, every transaction and every user - at every step - with controls that match the expectations of regulated financial institutions.

Contact security team

Controls

Security controls built into every layer

Data Encryption

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Sensitive documents are stored in access-controlled, encrypted storage - never exposed to unauthorised parties.

Role-Based Access Control

Granular permissions ensure each user - whether bank staff, corporate buyer or SME supplier - can only access the data and actions appropriate to their role. Buyer, supplier and institution data are siloed and isolated.

Audit Logging

Every key action is logged, timestamped and attributed to a named user. You get full traceability of document changes, approval decisions and user activity - exportable for internal reviews, KYC and compliance audits.

Multi-Factor Authentication

MFA is available across all user types. Session tokens are rotated and expired using best-practice session integrity controls, reducing the risk of credential-based compromise.

Maker-Checker Controls

Dual-authorisation is enforced for your institution's team on all high-risk actions and financing decisions. The same maker-checker logic is available as an optional control for corporate buyers - mirroring the governance standards your institution already applies.

End-to-End Encrypted Messaging

In-app communication between buyers, suppliers and institution staff is end-to-end encrypted and scoped to specific transactions. Documents exchanged through the platform's messaging layer receive the same encryption treatment.

Compliance posture

Designed to meet the expectations of regulated environments

We follow industry-standard security protocols and work closely with financial institutions during implementation to meet their internal IT security requirements, regulator guidelines and other applicable frameworks.

Our architecture is designed to meet SOC 2 expectations. While formal certification is in progress, our controls are built to the same standard - and we're happy to share our security documentation, data processing agreements and technical architecture details with your IT and compliance team during the sales process.

Security principles

Least-privilege access by default

Every user account starts with the minimum access required for their role. Elevated permissions must be explicitly granted.

Data isolation between institutions

Each institution's data is logically isolated. No data from one deploying institution is ever visible to another.

Continuous logging, not periodic audits

Activity logging runs continuously. Every state change is captured in real time - not reconstructed after the fact.

Your IT team sets the integration spec

For core banking integration, your IT and security teams define the requirements. Implementation is effected in-app.

Responsible disclosure

If you believe you've found a security vulnerability in SCFPro, we want to hear from you. Please contact our security team directly. We commit to acknowledging your report within 48 hours and keeping you informed as we investigate.

security@scfpro.com

Ready to proceed

Security questions before you move forward?

We're happy to share data processing agreements or connect you with our technical team to complete your institution's vendor assessment.

Request a Demo Talk to our team