Skip to main content

Security & Trust

Built on Google Cloud. Here's what that covers, and what we add on top.

Each section starts with a one-line summary. Tap to read the full controls.

Updated April 19, 2026·~5 min

In one paragraph

Hosted on Google Cloud, whose infrastructure holds SOC 2, ISO 27001, and PCI DSS certifications — TheLoanOfficer itself has not been independently audited. Data is encrypted with TLS in transit and AES-256 at rest, sensitive documents get an additional encryption layer, every write goes through server-side APIs with role checks, and document links are signed and expiring. We never share data without your explicit consent.

01

Infrastructure & hosting

Hosted on Google Cloud Platform, with Google managing the physical and network layers and TheLoanOfficer adding application-level controls on top.

Full text

TheLoanOfficer is hosted on Google Cloud Platform. Google manages the physical security, network protection, and reliability of the underlying infrastructure; we add our own application-level controls on top.

Provided by Google Cloud

  • DDoS protection and threat detection on Google’s network
  • Automated security patching of managed infrastructure
  • Encrypted storage and network infrastructure
  • Redundant backup and disaster recovery

Google's data centers

  • Multiple geographically distributed regions
  • Physical security with biometric access (per Google’s published controls)
  • Environmental controls and monitoring
02

Compliance & certifications

Google Cloud, our infrastructure provider, holds SOC 2 Type II, ISO 27001, and PCI DSS certifications. TheLoanOfficer itself has not been independently audited.

Full text

Our infrastructure provider, Google Cloud, maintains the following certifications. These cover the infrastructure our platform runs on — they are Google's certifications, not TheLoanOfficer's:

SOC 2 Type II

Google Cloud’s audited controls for security, availability, and confidentiality

ISO 27001

Google Cloud’s certification for information security management

PCI DSS Level 1

Google Cloud’s payment card industry security certification

TheLoanOfficer itself has not been independently audited. What we do: encrypt data in transit (TLS) and at rest (AES-256), wrap sensitive documents in an additional encryption layer, deliver document downloads through signed, expiring links, route every database write through authenticated server-side APIs with role-based access checks, rate-limit sensitive endpoints, and keep a server-side audit log of admin and security-relevant actions.

03

Application security

TLS in transit, AES-256 at rest, server-side access control, signed expiring document links, rate limiting, and audit logging.

Full text

Encryption

  • TLS encryption for all data transmission
  • AES-256 encryption for data at rest
  • Additional encryption layer for sensitive documents
  • Signed, expiring links for document downloads

Access control

  • Firebase Authentication with email/password and email verification
  • Role-based access checks enforced server-side
  • Client database writes blocked — every write goes through authenticated server-side APIs
  • Single-use document upload links verified against the recipient’s email

Abuse prevention

  • Rate limiting on sensitive endpoints
  • Single-use tokens that expire after use

Accountability

  • Server-side audit log of admin and security-relevant actions
  • Credit and payment changes logged to an audit trail
04

Data handling & privacy

We collect only what we need, purge automatically, and never share data without explicit consent.

Full text

Data minimization

  • Collect only necessary information
  • Automatic data purging policies
  • Ephemeral storage for sensitive data
  • Regular data retention reviews

Data protection

  • No data sharing without explicit consent
  • Secure data transmission protocols
  • Server-side audit logging of sensitive actions
  • Owner-only access to user profile data

Transparency

Clear data usage policies and user controls

User control

Users can manage their data and privacy settings

Compliance

Full compliance with privacy regulations

05

Incident response

Documented response procedures, automated health checks, and transparent user notification.

Full text

Response

  • Documented incident response procedures
  • Automated system health checks and alerting
  • Server-side audit log to support investigations

Communication

  • Transparent incident reporting
  • User notification procedures
  • Regular security updates
  • Emergency contact channels
06

Trust indicators

TLS in transit · AES-256 at rest · signed, expiring document links.

Full text

TLS

Encryption in transit

All traffic between you and our servers is encrypted

AES-256

Encryption at rest

The same standard banks use

Signed

Document links

Downloads use expiring, signed links

07

Security contact

Report a concern: support@theloanofficer.io.

Full text

If you have security concerns or need to report a security incident, please contact our security team:

The plain-language summaries are explanatory only. In any conflict between the summary and the body text, the body text governs.

TheLoanOfficer

Precision connections for loan professionals.A marketplace where borrowers post loan requests and licensed loan officers respond.

© 2026 TheLoanOfficer. All rights reserved.

Compliance Disclaimer: TheLoanOfficer is a connection platform only. We are not a lender, broker, or loan originator. All lender rates and terms are independently provided by licensed professionals. We neither set nor endorse them. Users must verify every detail with their chosen lender.