Castford -- Zero Trust Security & Data Privacy

Zero Trust Framework

Never trust, always verify

Every data interaction within Castford follows six core zero trust principles. No user, device, or system is implicitly trusted — regardless of whether it sits inside or outside the network perimeter.

Verify every identity

Every user and service account is authenticated before accessing any resource. Multi-factor authentication (MFA) is enforced for all human users. Service-to-service calls use short-lived, automatically rotated credentials — never static API keys.

Least privilege access

Users and integrations receive only the minimum permissions required for their role. A VP of Finance sees consolidated reports; a department analyst sees only their cost center. Connector service accounts are scoped to read-only access by default.

Encrypt everything

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation every 90 days. Customer data and key material are never stored in the same system.

Assume breach

Every system component is designed as if neighboring components may already be compromised. Micro-segmentation isolates customer data environments. Lateral movement is blocked by default — even internal services must authenticate to access data stores.

Continuous monitoring

Every access event is logged and analyzed in real time. Anomalous patterns — such as a user querying data outside their normal scope, or a connector pulling an unusual volume — trigger automated alerts and can suspend access within seconds.

Immutable audit trail

Every data access, transformation, and export is recorded in a tamper-proof audit log. These logs are retained for 7 years and can be exported for SOX compliance audits, internal investigations, or regulatory review at any time.

Data Ingestion

What happens to your data

Whether your team connects through our integration portal or uploads files manually, every piece of financial data follows the same zero trust pipeline from the moment it enters Castford.

Integration Portal (Connectors)

When a customer connects their ERP, CRM, HRIS, or billing system through the Castford connector portal, the following happens:

1Customer authenticates via OAuth 2.0 or SAML SSO with the source system (e.g., NetSuite, SAP, Salesforce). Castford never receives or stores the customer's source system password.

2A scoped, read-only access token is issued by the source system. This token is encrypted and stored in a dedicated secrets vault — isolated from the application database.

3Data is pulled through the connector over TLS 1.3 encrypted channels. The raw payload is validated against the expected schema before any processing occurs.

4Validated data is written to the customer's isolated data environment (single-tenant logical partition). No cross-customer data mixing ever occurs.

5Schema mapping and transformation happen within the customer's partition. Original source records are preserved alongside the mapped data for full audit lineage.

6Sync status, record counts, and any anomalies are logged to the immutable audit trail. The customer can view the full sync history in their dashboard.

Manual File Upload

When a customer uploads financial data manually (CSV, Excel, PDF), the file goes through the same zero trust pipeline:

1The file is uploaded over TLS 1.3 directly to a temporary staging area. The upload session is authenticated with the user's active session token and validated against their role permissions.

2The file is scanned for malware, macros, and anomalous content before any processing. Files that fail validation are quarantined and the user is notified.

3Validated files are parsed and the data is extracted. The original file is encrypted with AES-256 and archived in the customer's isolated storage partition for reference.

4Extracted data goes through the same schema validation and mapping pipeline as connector data. No shortcuts — manual uploads receive identical security treatment.

5The user is shown a preview of the mapped data before it is committed. They can review, adjust mapping, or cancel. Nothing is written to the financial model until the user confirms.

6Upload metadata (who uploaded, when, file hash, record count, mapping applied) is logged to the immutable audit trail. The original file hash is preserved for integrity verification.

Data Lifecycle

From ingestion to deletion

Every stage of the data lifecycle is governed by zero trust controls. Here is exactly what happens to customer financial data inside Castford.

CASTFORD

data-lifecycle-flow

Ingestion

Data enters through connector sync or manual upload. Encrypted in transit via TLS 1.3. Authenticated session required. Schema validated before acceptance.

AES-256 in transit -- OAuth 2.0 or session token auth

Isolation

Data is written to the customer's logically isolated partition. Each customer's data environment is separated at the storage, compute, and network layer. No shared tables, no shared query engines.

Single-tenant logical partition -- network micro-segmentation

Processing

Financial models, AI analysis, variance detection, and forecasting happen entirely within the customer's partition. The AI engine accesses only that customer's data — it has no visibility into other customer environments, ever.

AI inference within partition -- no cross-tenant data access

Storage

Processed data is encrypted at rest with AES-256. Encryption keys are customer-specific and managed through a dedicated key management service. Keys rotate automatically every 90 days. Customers can also bring their own keys (BYOK).

AES-256 at rest -- customer-specific keys -- 90-day rotation

Access

Every query, report, export, and API call is authenticated and authorized against the user's role and permissions. Sensitive operations (bulk export, admin changes) require re-authentication. All access events are logged.

Role-based access control -- re-auth for sensitive operations

Retention & Deletion

Customers control their data retention policy. When a customer requests deletion, all data — including backups, derived models, and cached results — is cryptographically erased within 30 days. A certificate of destruction is issued upon completion.

Customer-controlled retention -- 30-day crypto-erasure -- destruction certificate

Encryption

Encryption at every layer

Data State	Method	Standard	Key Management
In transit (connector sync)	TLS 1.3	AEAD cipher suites only	Certificate pinning, automatic renewal
In transit (manual upload)	TLS 1.3	AEAD cipher suites only	Certificate pinning, automatic renewal
In transit (API calls)	TLS 1.3 + mTLS	Mutual authentication	Short-lived client certificates
At rest (primary storage)	AES-256-GCM	FIPS 140-2 Level 3	Customer-specific keys, 90-day rotation
At rest (backups)	AES-256-GCM	FIPS 140-2 Level 3	Separate backup encryption key
At rest (audit logs)	AES-256-GCM	Immutable, append-only	Separate audit key, 7-year retention
Secrets (OAuth tokens, API keys)	AES-256 envelope	Isolated secrets vault	Automatic rotation, never in application DB

Compliance & Governance

Built for regulated industries

Castford is designed for finance teams operating under SOX, GDPR, CCPA, HIPAA, and industry-specific regulatory requirements.

SOX

SOX 404 Compliance

Continuous control monitoring, segregation of duties enforcement, immutable audit trails, and one-click evidence export for internal and external auditors. Designed for public company finance teams.

GDP

GDPR Data Protection

Right to access, right to erasure, data portability, and processing records. Data residency options for EU customers. Data Processing Agreement (DPA) available for all customers.

SOC

SOC 2 Type II

Annual third-party audit covering security, availability, processing integrity, confidentiality, and privacy. Audit report available to customers and prospects under NDA.

CCP

CCPA Consumer Privacy

Do-not-sell compliance, consumer data access requests, and deletion workflows. Applicable to customers operating in California or processing California resident data.

HIP

HIPAA (BAA Available)

Business Associate Agreement available for healthcare and life sciences customers. PHI-specific controls, access restrictions, and breach notification procedures.

ISO

ISO 27001 Information Security

Certified information security management system covering risk assessment, access control, incident management, and business continuity planning.

Customer Control

You own your data. Period.

Castford never sells, shares, or uses customer data to train AI models. Your financial data is yours — and you can export or delete it at any time.

100%

Customer-owned

Your financial data belongs to you. Castford acts as a data processor, never a data owner. We process your data solely to provide the services you've contracted for.

AI training on your data

Castford AI models are trained on synthetic and anonymized data sets. Your actual financial data is never used for model training, benchmarking, or any purpose beyond serving your account.

30 days

To full deletion

When you request deletion, all data — primary storage, backups, derived models, cached results, and audit logs beyond regulatory minimums — is cryptographically erased within 30 calendar days.

Frequently Asked

Security questions from finance teams

Can Castford employees access my financial data?+

No. Customer data environments are encrypted with customer-specific keys and access is restricted by role-based controls. Castford engineering and support staff do not have access to customer financial data in the normal course of operations. In the rare case that access is needed for a support escalation, it requires written customer approval, time-limited access, and full audit logging.

Where is my data stored geographically?+

Castford operates data centers in the United States (us-east, us-west), European Union (eu-west), and Asia-Pacific (ap-southeast). Enterprise customers can select their preferred data residency region during onboarding. Data does not leave the selected region for processing, storage, or backup purposes.

What happens if I disconnect a connector?+

When you disconnect a connector, the OAuth token is immediately revoked and deleted from the secrets vault. Previously synced data remains in your Castford environment for continuity, but no new data will be pulled. You can choose to delete the synced data at any time through the data management console.

Is my data used to train Castford AI models?+

No. Castford AI models are trained exclusively on synthetic and anonymized data sets. Your actual financial data is never used for model training, benchmarking, or aggregate analysis. The AI copilot processes your data only in real time to serve your queries — it does not retain context between sessions unless you explicitly enable conversation history.

Can I export all my data if I cancel?+

Yes. Castford provides a full data export capability in standard formats (CSV, JSON, Excel). You can export at any time during your subscription or within 90 days after cancellation. After the 90-day window, data is queued for cryptographic erasure. Enterprise customers can negotiate extended export windows in their contract.

Do you have a penetration testing program?+

Yes. Castford engages independent third-party security firms for annual penetration testing and continuous vulnerability assessment. We also maintain a responsible disclosure program for external security researchers. Pen test reports are available to enterprise customers and prospects under NDA.

Your financial data is never trusted, always verified