Security Statement
Security at Funder Compass
Funder Compass is designed using industry standard security practices to protect customer data. This statement describes the controls in place; it is not an audit, certification or guarantee of any specific outcome.
Encryption
Data in transit is encrypted using TLS. Data at rest is stored in encrypted, managed cloud infrastructure.
Authentication
Password-based sign-in with optional time-based one-time password (TOTP) multi-factor authentication. Session tokens are short-lived and rotated automatically.
Role-based access & row-level security
Application access is governed by roles. Database access is enforced by Postgres row-level security policies so users only see rows they are entitled to.
Audit logs
Key actions — loan creation, stage changes, document uploads, checklist completions — are recorded in an append-only activity log.
Private storage
Uploaded loan documents are stored in private buckets. Signed URLs are issued on demand and expire.
Backups & recovery
The managed database performs automated backups with point-in-time recovery.
Secure cloud infrastructure
The platform runs on managed cloud infrastructure with hardened baselines, network isolation and continuous vendor security updates.
Access controls
Administrator access to production systems is restricted, logged and reviewed. Service credentials are stored in a managed secrets vault.
Shared responsibility
No system is 100% secure. The controls above are designed to reduce risk, not eliminate it. Customers remain responsible for password hygiene, authorised-user management and their own device security.
This statement is maintained by eCapital Investments Group Pty Ltd to answer common security questions about Funder Compass. It is a description of enabled controls, not an independent certification or audit report.