Castford -- Zero Trust Security & Data Privacy

Zero Trust Framework

Never trust, always verify

Every data interaction within Castford follows six core zero trust principles. No user, device, or system is implicitly trusted — regardless of whether it sits inside or outside the network perimeter.

Verify every identity

Every user and service account is authenticated before accessing any resource. Multi-factor authentication (MFA) is enforced for all human users. Service-to-service calls use short-lived, automatically rotated credentials — never static API keys.

Least privilege access

Users and integrations receive only the minimum permissions required for their role. A VP of Finance sees consolidated reports; a department analyst sees only their cost center. Connector service accounts are scoped to read-only access by default.

Encrypt everything

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation every 90 days. Customer data and key material are never stored in the same system.

Assume breach

Every system component is designed as if neighboring components may already be compromised. Micro-segmentation isolates customer data environments. Lateral movement is blocked by default — even internal services must authenticate to access data stores.

Continuous monitoring

Every access event is logged and analyzed in real time. Anomalous patterns — such as a user querying data outside their normal scope, or a connector pulling an unusual volume — trigger automated alerts and can suspend access within seconds.

Immutable audit trail

Every data access, transformation, and export is recorded in a tamper-proof audit log. These logs are retained for 7 years and can be exported for SOX compliance audits, internal investigations, or regulatory review at any time.

Data Ingestion

What happens to your data

Whether your team connects through our integration portal or uploads files manually, every piece of financial data follows the same zero trust pipeline from the moment it enters Castford.

Integration Portal (Connectors)

When a customer connects their ERP, CRM, HRIS, or billing system through the Castford connector portal, the following happens:

1Customer authenticates via OAuth 2.0 or SAML SSO with the source system (e.g., NetSuite, SAP, Salesforce). Castford never receives or stores the customer's source system password.

2A scoped, read-only access token is issued by the source system. This token is encrypted and stored in a dedicated secrets vault — isolated from the application database.

3Data is pulled through the connector over TLS 1.3 encrypted channels. The raw payload is validated against the expected schema before any processing occurs.

4Validated data is written to the customer's RLS-enforced environment. Postgres Row-Level Security policies prevent cross-tenant data access at the database layer.

5Schema mapping and transformation happen within the customer's partition. Original source records are preserved alongside the mapped data for full audit lineage.

6Sync status, record counts, and any anomalies are logged to the immutable audit trail. The customer can view the full sync history in their dashboard.

Manual File Upload

When a customer uploads financial data manually (CSV, Excel, PDF), the file goes through the same zero trust pipeline:

1The file is uploaded over TLS 1.3 directly to a temporary staging area. The upload session is authenticated with the user's active session token and validated against their role permissions.

2The file is scanned for malware, macros, and anomalous content before any processing. Files that fail validation are quarantined and the user is notified.

3Validated files are parsed and the data is extracted. The original file is encrypted with AES-256 and archived in the customer's isolated storage partition for reference.

4Extracted data goes through the same schema validation and mapping pipeline as connector data. No shortcuts — manual uploads receive identical security treatment.

5The user is shown a preview of the mapped data before it is committed. They can review, adjust mapping, or cancel. Nothing is written to the financial model until the user confirms.

6Upload metadata (who uploaded, when, file hash, record count, mapping applied) is logged to the immutable audit trail. The original file hash is preserved for integrity verification.

Data Lifecycle

From ingestion to deletion

Every stage of the data lifecycle is governed by zero trust controls. Here is exactly what happens to customer financial data inside Castford.

CASTFORD

data-lifecycle-flow

Ingestion

Data enters through connector sync or manual upload. Encrypted in transit via TLS 1.3. Authenticated session required. Schema validated before acceptance.

AES-256 in transit -- OAuth 2.0 or session token auth

Isolation

Data is written with Row-Level Security (RLS) enforced on every query. Tenant isolation is guaranteed at the Postgres database layer — every query is scoped to the authenticated customer's organization ID.

Postgres RLS enforcement -- tenant_id scoping on every query

Processing

Financial models, AI analysis, variance detection, and forecasting operate within the customer's RLS-enforced context. The AI layer (Anthropic Claude API) receives only the specific data needed for the current query — no persistent access, no cross-tenant visibility.

Anthropic Claude API -- per-query data scoping

Storage

Processed data is encrypted at rest with AES-256, managed by Supabase's infrastructure encryption. Customer-managed keys (BYOK) are on the enterprise roadmap for 2026.

AES-256 at rest -- Supabase-managed encryption

Access

Every query, report, export, and API call is authenticated and authorized against the user's role and permissions. Sensitive operations (bulk export, admin changes) require re-authentication. All access events are logged.

Role-based access control -- re-auth for sensitive operations

Retention & Deletion

Customers control their data retention policy. When a customer requests deletion, all data — including backups, derived models, and cached results — is cryptographically erased within 30 days. A certificate of destruction is issued upon completion.

Customer-controlled retention -- 30-day crypto-erasure -- destruction certificate

Encryption

Encryption at every layer

Data State	Method	Standard	Key Management
In transit (connector sync)	TLS 1.3	AEAD cipher suites only	Certificate pinning, automatic renewal
In transit (manual upload)	TLS 1.3	AEAD cipher suites only	Certificate pinning, automatic renewal
In transit (API calls)	TLS 1.3	AEAD cipher suites	JWT-based authentication
At rest (primary storage)	AES-256-GCM	Industry-standard AEAD	Supabase-managed encryption
At rest (backups)	AES-256-GCM	Industry-standard AEAD	Separate backup encryption key
At rest (audit logs)	AES-256-GCM	Immutable, append-only	Separate audit key, 7-year retention
Secrets (OAuth tokens, API keys)	AES-256 envelope	Isolated secrets vault	Automatic rotation, never in application DB

Compliance & Governance

Built for regulated industries

Castford is designed for finance teams operating under SOX, GDPR, CCPA, HIPAA, and industry-specific regulatory requirements.

SOX

SOX 404 Compliance

Continuous control monitoring, segregation of duties enforcement, immutable audit trails, and one-click evidence export for internal and external auditors. Designed for public company finance teams.

GDP

GDPR Data Protection

Right to access, right to erasure, data portability, and processing records. Data residency options for EU customers. Data Processing Agreement (DPA) available for all customers.

SOC

SOC 2 Ready

Annual third-party audit covering security, availability, processing integrity, confidentiality, and privacy. Audit report available to customers and prospects under NDA.

CCP

CCPA Consumer Privacy

Do-not-sell compliance, consumer data access requests, and deletion workflows. Applicable to customers operating in California or processing California resident data.

HIP

HIPAA (BAA Available)

Business Associate Agreement available for healthcare and life sciences customers. PHI-specific controls, access restrictions, and breach notification procedures.

ISO

ISO 27001 Information Security

Certified information security management system covering risk assessment, access control, incident management, and business continuity planning.

Customer Control

You own your data. Period.

Castford never sells, shares, or uses customer data to train AI models. Your financial data is yours — and you can export or delete it at any time.

100%

Customer-owned

Your financial data belongs to you. Castford acts as a data processor, never a data owner. We process your data solely to provide the services you've contracted for.

AI training on your data

Castford uses Anthropic's Claude API for AI capabilities. Anthropic's data policy guarantees API inputs are never used for model training. No training on your financial data, ever.

30 days

To full deletion

When you request deletion, all data — primary storage, backups, derived models, cached results, and audit logs beyond regulatory minimums — is cryptographically erased within 30 calendar days.

Frequently Asked

Security questions from finance teams

Can Castford employees access my financial data?+

No. Customer data is protected by Supabase's AES-256 encryption at rest, with Row-Level Security (RLS) policies enforcing tenant isolation at the database layer. Access is further restricted by role-based controls. Castford engineering and support staff do not have access to customer financial data in the normal course of operations. In the rare case that access is needed for a support escalation, it requires written customer approval, time-limited access, and full audit logging.

Where is my data stored geographically?+

Castford data is stored in AWS us-west-2 via Supabase, with global edge distribution through Vercel. Multi-region data residency is on the 2026 enterprise roadmap. Contact sales@castford.com if specific residency is a contract requirement.

What happens if I disconnect a connector?+

When you disconnect a connector, the OAuth token is immediately revoked and deleted from the secrets vault. Previously synced data remains in your Castford environment for continuity, but no new data will be pulled. You can choose to delete the synced data at any time through the data management console.

Is my data used to train Castford AI models?+

No. Castford doesn't train its own AI models — the AI copilot is powered by Anthropic's Claude API. Anthropic's data policy guarantees that API inputs are never used to train their models. Your financial data is sent only for the duration of each query and is not persisted by the AI provider.

Can I export all my data if I cancel?+

Yes. Castford provides a full data export capability in standard formats (CSV, JSON, Excel). You can export at any time during your subscription or within 90 days after cancellation. After the 90-day window, data is queued for cryptographic erasure. Enterprise customers can negotiate extended export windows in their contract.

Do you have a penetration testing program?+

We run a responsible disclosure program for external security researchers (security@castford.com) and perform continuous self-directed vulnerability scanning. Formal third-party penetration testing is scheduled for H2 2026. Prospects requiring pen test reports pre-deal can contact security@castford.com to discuss accelerated timelines.

Your financial data is never trusted, always verified.