Skip to content
RateStack
Trust · Compliance

Honest compliance posture, with no marketing badges we haven't earned.

We will tell you what we attest to today, what we are pursuing, and what we will not claim until it is certified. The first principle of compliance is honesty.

Last updated:

Posture

Where every framework actually stands.

If we say 'in audit,' it means an auditor is in our system right now. If we say 'roadmap,' it means we have not started — be skeptical of vendors who blur this distinction.

  • SOC 2 Type IIIn audit
  • GLBA Safeguards RuleAligned
  • CCPA / CPRAAligned
  • GDPRAvailable on request
  • ISO 27001Roadmap
  • PCI DSSOut of scope

Posture timeline

As of 2026-05-26

  1. SOC 2 Type II

    In auditReport 2026-Q4· Big-4 audit firm (named under NDA)

    Operating to SOC 2 Type II controls. Audit fieldwork is underway. We do not display a SOC 2 badge until the report lands; the report is shared with prospects and customers under NDA the day we receive it.

  2. GLBA Safeguards Rule

    AlignedContinuous

    Our controls map to the FTC Safeguards Rule (16 CFR Part 314). Mapping is documented in the customer evidence packet, available under NDA. No third-party attestation exists for GLBA — alignment is operator-asserted.

  3. CCPA / CPRA

    AlignedContinuous

    Consumer rights, deletion SLA, and Do-Not-Sell defaults codified in the published DPA. Consumer-rights tooling is exposed in admin and via API.

  4. GDPR

    Available on requestEnterprise tier

    GDPR-compliant DPA and EU-pinned deployment available on Enterprise. Standard tier deployments are US-only by design.

  5. ISO 27001

    Roadmap2027-H1

    Targeted after SOC 2 attestation lands. Most controls overlap with SOC 2; the gap is documentation, not posture.

  6. PCI DSS

    Out of scope

    RateStack does not store, process, or transmit cardholder data. Billing is handled by a PCI-DSS Level-1 processor (subprocessor list).

We do not display badges for certifications we do not hold. "In audit" means an auditor is in our system today; "Roadmap" means we have committed to pursue it but have not started. Be skeptical of any vendor that blurs this distinction.

Regulatory alignment for mortgage capital markets

The platform's audit, retention, and access controls are designed against the regulatory environment its customers live in: GLBA Safeguards Rule for non-public personal information, CCPA / CPRA for consumer rights, HMDA- relevant audit trails on the data we touch, and ECOA-aligned non-discrimination in pricing. We do not represent that the platform itself is HMDA-compliant — compliance is the lender's responsibility — but the audit chain and historical replay are designed so that compliance teams can produce evidence quickly.

HMDA / ECOA support

The audit chain captures every pricing decision with the inputs and the ratesheet version that fired. Historical replay (as-of pricing) reproduces past quotes deterministically. ECOA non-discrimination depends on the rules you configure; the rule engine itself does not consider protected characteristics. Operators can audit rules for prohibited bases by inspecting the program eligibility table directly.

URLA 2021 + multi-borrower

URLA 2021 Tiers 1–5 ship complete. The platform models multiple borrowers via a unified borrowers[0..N] namespace — index 0 is the primary, indices 1+ are co-borrowers, all with identical field shapes. This eliminates the MISMO container aliasing that historically drove co-borrower data drift. Tier 5 fields (REO, close-out structure, 2021 marital and income enums) are first-class.

Property warrantability + ULDD

Property fields decompose into Fannie ULDD orthogonal axes (category, attachment, ownership, project type, structure, construction method, stories) with confidence scoring. Warrantability classification (WARRANTABLE / NON_WARRANTABLE / UNKNOWN) ships with an English-language rationale citing the contributing fields. The decomposition and warrantability call are audit-chained; operator overrides capture prior + new values.

Delegation evidence (actingAsOrgId)

Every cross-tenant action — pricing, locking, sharing — writesactingAsOrgId into common_audit_log. Wholesale and TPO audits get unambiguous evidence of who initiated each request under whose delegation grant. This holds across white-label deployments; the brand layer does not muddle the audit chain.

State-specific overlays

State-level regulatory overlays (e.g., New York high-cost loan thresholds, California consumer privacy specifics) are configured as eligibility rules and audit annotations. The platform does not ship state-specific compliance defaults — operator configuration is required.

Data residency & retention

The default deployment is United States, in two Tier-1 cloud regions (us-east and us-west) with cross-region replication for the source-of- truth MySQL tier. MinIO content-addressed object storage carries SSE-S3 encryption, bucket versioning, and lifecycle rules.

Retention windows

  • API request logs: 90 days by default; custom on Business / Enterprise.
  • Ratesheet raw blobs: 90 days post-supersede; configurable.
  • Ratesheet rows: indefinite (versioning is immutable).
  • Audit log: indefinite by default.
  • Webhook deliveries / DLQ: 30 days for delivered, 90 days for DLQ.
  • Event streams (NATS JetStream): 7-180 days depending on stream type.

Customer data deletion

Customers may request deletion of personal data via the standard data-subject request workflow (or programmatically via the admin API). Deletion is completed within 30 calendar days and produces an audit row that the customer can verify against the audit chain.

Audit evidence

We support customer audits within reason — once or twice per year for Business and Enterprise tiers, scoped to a documented set of evidence, conducted under NDA. Evidence packets typically include: the SOC 2 report (when available), control mappings against the customer's framework of choice, sample audit-log extracts demonstrating hash-chain integrity, ratesheet ingestion lineage, and infrastructure architecture diagrams.

Sales coordinates audits via the assigned CSM; we do not allow ad-hoc audits without coordination. This is how we keep the platform stable under audit pressure.

SecurityPrivacySubprocessors

Frequently asked

Compliance questions.

When will SOC 2 land?

We are in the audit window today. Timing is bounded by the auditor's schedule, not ours; the realistic window is 6-9 months from the start of audit. We will publish the report (under NDA) the same day we receive it.

Can we get your SIG / CAIQ / vendor questionnaire response?

Yes, under NDA. Sales coordinates this; turnaround is typically 2-3 business days.

Do you support customer audits?

Once or twice per year for Business / Enterprise customers. We schedule via the named CSM, scope to a documented set of evidence, and conduct under NDA.

Where is data stored?

United States by default, in Tier-1 cloud regions. Enterprise customers can request region pinning, dedicated infrastructure, or VPC peering. EU residency is available on Enterprise.

What's your data retention policy?

Default retention windows: API request logs 90d, ratesheet raw blobs 90d, ratesheet rows indefinite, audit log indefinite, event streams 7-180d depending on stream type. Custom retention is available on Business and Enterprise.

Do you ever use customer data to train AI models?

Never without explicit, separately-signed consent. The default contract excludes training use. Operational uses (mapping templates that learn from your sheets to make ingestion faster) are scoped to your tenant only and never aggregated across customers.

Need an evidence packet? Contact sales and we'll route you to the right person under NDA.

Compliance | RateStack