SECURITY & COMPLIANCE
LenderBox was architected from day one for regulated financial institutions. SOC 2 Type II certified. GLBA compliant. Every institution’s data fully siloed. No exceptions.
SECURITY & COMPLIANCE
SECURITY & COMPLIANCE
LenderBox was architected from day one for regulated financial institutions. SOC 2 Type II certified. GLBA compliant. Every institution’s data fully siloed. No exceptions.
SECURITY ARCHITECTURE
SECURITY ARCHITECTURE
LenderBox was architected from day one to meet the security, compliance, and data isolation standards that regulated financial institutions require. SOC 2 Type II certified. GLBA compliant. Every institution's data fully siloed. No exceptions.
HOW WE PROTECT YOUR DATA
Every file that enters LenderBox is encrypted with 256-bit AES at rest and protected by TLS 1.2+ in transit. Encryption keys are managed through AWS Key Management Service (KMS), which generates, rotates, and stores keys in FIPS 140-2 validated hardware security modules. At no point does unencrypted data persist on disk outside of active processing.
Each institution’s data is logically isolated at the infrastructure level — not simply separated by application-layer permissions. Your deals, documents, portfolio data, and AI model outputs are inaccessible to every other institution on the platform. There is no shared data lake, no cross-institution analytics, and no scenario in which one client’s data influences another client’s results.
LenderBox is hosted on Amazon Web Services (AWS), which maintains its own SOC 2 Type II certification as a subservice organization. AWS provides compute, storage, and networking across U.S.-based data centers with physical security controls including biometric access, 24/7 monitoring, and environmental protections. LenderBox can facilitate access to AWS’s own SOC 2 report for institutions that need to complete the subservice organization audit loop.
Platform access is governed by role-based access controls (RBAC) with granular permissions at the user, team, and institution level. Every login, document access, data export, and configuration change is captured in a complete audit trail. Administrative actions require multi-factor authentication. These controls satisfy the access management requirements that OCC, FDIC, and state banking examiners evaluate during vendor risk reviews.
Every action taken within LenderBox is recorded in an immutable audit log. These logs cannot be altered or deleted by any user, including LenderBox administrators. The logging architecture provides the continuous audit trail that regulated institutions need to demonstrate examiner readiness at any point in time.
LenderBox’s AI engines are purpose-built for CRE lending — not general-purpose language models repurposed for financial services. Every data point extracted is tied to a page-level citation in the source document. Every policy check references the institution’s own lending criteria. Credit officers can verify any output against the original source material, and examiners can trace any decision back to documented evidence.
COMPLIANCE & CERTIFICATIONS
LenderBox maintains the certifications and documentation your compliance team needs — ready before they ask for it.
Completed February 2026 via Securance Pro Assurance PLLC. Covers security, availability, and confidentiality trust service criteria. Full report available under NDA.
Completed February 2026 via Securance Pro Assurance PLLC. Covers security, availability, and confidentiality trust service criteria. Full report available under NDA.
Designed to meet Gramm-Leach-Bliley Act safeguards for nonpublic personal information. Administrative, technical, and physical controls with full audit logging.
LenderBox completed its SOC 2 Type II audit in February 2026, conducted by Securance Pro Assurance PLLC. The observation period covered November 2025 through February 2026, evaluating the design and operating effectiveness of controls across security, availability, and confidentiality trust service criteria. The full report is available upon request under NDA. LenderBox intends to maintain continuous SOC 2 Type II compliance with annual re-certification.
LenderBox is designed to comply with the Gramm-Leach-Bliley Act requirements for safeguarding nonpublic personal information. This includes administrative, technical, and physical safeguards required under the GLBA Safeguards Rule. Data access is limited to authorized personnel, encryption protects data at rest and in transit, and the platform’s audit logging provides the accountability trail regulators expect.
The SOC 2 Type II report, data flow diagrams, business continuity plans, incident response procedures, and subservice organization documentation are maintained and available through a structured due diligence process. LenderBox is built to fit within your existing third-party risk management framework — whether you follow OCC, FDIC, or state banking regulator guidance.
Your investors, fund administrators, and LP reporting requirements increasingly demand institutional-grade data protection. LenderBox’s SOC 2 Type II certification and data isolation architecture provide the security posture institutional allocators expect — without requiring your team to manage compliance overhead internally.
LenderBox maintains the certifications and documentation your compliance team needs — ready before they ask for it.
Where does our data actually live?
Your data is stored in AWS data centers in the United States. AWS facilities maintain SOC 2 Type II certification, physical security controls including biometric access and 24/7 surveillance, and environmental protections. LenderBox does not store data in offshore facilities or third-country jurisdictions.
Can LenderBox employees see our deals?
No. LenderBox operates on a zero-access-by-default model. Production customer data is not accessible to LenderBox employees during normal operations. Access requires explicit authorization, is limited to designated support personnel, is logged in the immutable audit trail, and is restricted to the minimum scope needed for a specific support request.
How do you prevent our data from touching other institutions?
Through architectural isolation. Each institution's data is stored in logically separated environments at the infrastructure level. There is no shared data pool. LenderBox's AI models do not cross-train on other clients' data — your lending criteria, deal history, and portfolio information are never used to improve results for another institution.
What if LenderBox is breached?
LenderBox maintains a documented incident response plan with defined escalation procedures and notification timelines. Affected institutions would be notified within timeframes required by applicable law and service agreement terms. The SOC 2 Type II audit evaluated LenderBox's incident response controls.
Will this pass our vendor risk assessment?
LenderBox is built specifically to serve regulated financial institutions. The SOC 2 Type II report, GLBA compliance documentation, data flow diagrams, business continuity plan, and incident response procedures are available through a structured due diligence process. Multiple community and regional banks have completed vendor risk assessments successfully.
What happens when regulators examine our vendor relationships?
LenderBox provides the documentation examiners request: SOC 2 Type II report, evidence of ongoing monitoring, data protection controls, and business continuity planning. The platform's continuous audit trail provides the evidence base that OCC, FDIC, and state examiners evaluate.
Are you compliant with US banking regulations?
LenderBox is designed to operate within the regulatory framework governing technology vendors to US banking institutions. This includes GLBA compliance, alignment with OCC Third-Party Risk Management guidance (OCC Bulletin 2023-17), and adherence to security and privacy standards federal and state banking examiners evaluate.
How do you handle fair lending compliance?
LenderBox's underwriting intelligence is built on document extraction and policy cross-checking — not on credit decisioning models that score or rank borrowers. The platform applies your institution's criteria, not its own scoring algorithms. Fair lending compliance remains governed by your policies and procedures. The audit trail documents how each deal was evaluated against your stated criteria.
What if LenderBox goes out of business?
Your data remains your data. The service agreement includes data portability provisions ensuring full export in standard formats at any time. In a wind-down scenario, LenderBox commits to a defined data retrieval period with full export capabilities. No data hostage provisions, no export fees.
How fast do you patch security vulnerabilities?
LenderBox maintains a vulnerability management program with continuous monitoring and response timelines based on criticality. Critical vulnerabilities are prioritized for immediate remediation. The SOC 2 Type II audit evaluated vulnerability and patch management controls.
Can our security team audit you?
Yes. LenderBox supports customer security assessments including the SOC 2 Type II report, vendor security questionnaires (SIG, CAIQ, or custom), security review calls, and penetration test result sharing. Transparency, not gatekeeping.
Do you carry cyber insurance?
Yes. LenderBox maintains cyber liability insurance coverage appropriate for a technology vendor serving regulated financial institutions. Coverage details are available as part of the vendor due diligence process.
Whether you need to walk through our SOC 2 report with your vendor risk committee or want a technical deep-dive with your CISO, we're ready.
