Security

Security at End Close

We handle payments data for fintechs and platforms processing billions in volume. Security is a first-class part of the product, not a policy binder.

Visit Trust CenterContact security team

SOC 2 Type 2 — audit in progress

Controls in place, continuously monitored with Vanta.

AES-256 encryption

All customer data encrypted at rest & in transit.

Single-tenant AWS

Dedicated VPC on our own AWS infrastructure.

24/7 threat detection

AWS GuardDuty monitors for malicious activity.

How we protect your data

An overview of the security practices and programs at End Close. For the full set of controls, policies, and current attestations, see our Trust Center.

Compliance & certifications

SOC 2 controls in place and continuously monitored, independent penetration testing, and real-time transparency through our Trust Center.

Visit Trust Center

  • SOC 2 Type 2 (audit pending)

    We've implemented the controls required for SOC 2 Type 2 and are actively working with our auditor. Our real-time compliance posture is available in our Trust Center.

  • Continuous control monitoring

    Vanta runs automated tests against our SOC 2 controls 24/7. Controls are verified daily - not once a year.

  • Penetration testing

    We engage independent security researchers for periodic penetration tests covering network and common web application vulnerabilities (OWASP Top 10).

  • Audited sub-processors

    Every third-party system handling customer data is vetted for SOC 2 or equivalent attestation. A current sub-processor list is available on request.

Infrastructure & network security

Single-tenant infrastructure in our own AWS account - not a shared, multi-tenant environment.

  • Dedicated AWS account

    All production workloads run on AWS EKS in our own AWS account in us-west-2, across three availability zones for high availability.

  • Private by default

    Applications run in private subnets. Only explicitly exposed web services are reachable from the internet, via an AWS load balancer.

  • Managed Postgres database

    Our primary database runs on ClickHouse Cloud's managed Postgres service - isolated from our application infrastructure, with encrypted connections and managed backups.

  • VPN-gated internal access

    Internal services are reachable only through a Tailscale VPN - they are never exposed to the public internet.

  • 24/7 threat detection

    AWS GuardDuty runs on every node, continuously monitoring for malicious activity, unauthorized behavior, and potential compromise.

  • Automated patching

    Cluster version upgrades and infrastructure patching are handled automatically - we stay on supported, patched versions.

Encryption

Modern, boring cryptography - applied everywhere your data lives or moves.

  • Encryption in transit

    All external traffic is TLS-terminated with ciphers rated “B” or higher by SSL Labs. Certificates are auto-provisioned and rotated.

  • Encryption at rest

    All confidential customer data is encrypted with AES-256. Our managed Postgres database encrypts data at rest by default. S3 buckets and persistent cluster volumes are encrypted with AWS KMS.

  • Endpoint encryption

    Full-disk encryption (AES 128/256-bit) is enforced on all company laptops and storage devices.

  • Web certificates

    RSA 2048-bit or stronger, or ECC 256-bit or stronger, signed with SHA2 or better.

Access controls & personnel

Least-privilege access, full audit trails, and a vetted team handling your data.

  • Role-based access in-product

    Fine-grained permissions let you control exactly what each user can see and do inside End Close.

  • Full audit trail

    Every action taken by users or AI agents is logged and attributed.

  • Background checks & training

    All End Close staff undergo background checks at onboarding and complete ongoing security training.

  • Least-privilege staff access

    Our team accesses customer data on a principle-of-least-privilege basis. Non-preapproved access requires documented approval.