Security & Trust
Built on Google Cloud. Here's what that covers, and what we add on top.
Each section starts with a one-line summary. Tap to read the full controls.
In one paragraph
Hosted on Google Cloud, whose infrastructure holds SOC 2, ISO 27001, and PCI DSS certifications — TheLoanOfficer itself has not been independently audited. Data is encrypted with TLS in transit and AES-256 at rest, sensitive documents get an additional encryption layer, every write goes through server-side APIs with role checks, and document links are signed and expiring. We never share data without your explicit consent.
01Infrastructure & hosting
Hosted on Google Cloud Platform, with Google managing the physical and network layers and TheLoanOfficer adding application-level controls on top.
Infrastructure & hosting
Hosted on Google Cloud Platform, with Google managing the physical and network layers and TheLoanOfficer adding application-level controls on top.
Full text
TheLoanOfficer is hosted on Google Cloud Platform. Google manages the physical security, network protection, and reliability of the underlying infrastructure; we add our own application-level controls on top.
Provided by Google Cloud
- DDoS protection and threat detection on Google’s network
- Automated security patching of managed infrastructure
- Encrypted storage and network infrastructure
- Redundant backup and disaster recovery
Google's data centers
- Multiple geographically distributed regions
- Physical security with biometric access (per Google’s published controls)
- Environmental controls and monitoring
02Compliance & certifications
Google Cloud, our infrastructure provider, holds SOC 2 Type II, ISO 27001, and PCI DSS certifications. TheLoanOfficer itself has not been independently audited.
Compliance & certifications
Google Cloud, our infrastructure provider, holds SOC 2 Type II, ISO 27001, and PCI DSS certifications. TheLoanOfficer itself has not been independently audited.
Full text
Our infrastructure provider, Google Cloud, maintains the following certifications. These cover the infrastructure our platform runs on — they are Google's certifications, not TheLoanOfficer's:
SOC 2 Type II
Google Cloud’s audited controls for security, availability, and confidentiality
ISO 27001
Google Cloud’s certification for information security management
PCI DSS Level 1
Google Cloud’s payment card industry security certification
TheLoanOfficer itself has not been independently audited. What we do: encrypt data in transit (TLS) and at rest (AES-256), wrap sensitive documents in an additional encryption layer, deliver document downloads through signed, expiring links, route every database write through authenticated server-side APIs with role-based access checks, rate-limit sensitive endpoints, and keep a server-side audit log of admin and security-relevant actions.
03Application security
TLS in transit, AES-256 at rest, server-side access control, signed expiring document links, rate limiting, and audit logging.
Application security
TLS in transit, AES-256 at rest, server-side access control, signed expiring document links, rate limiting, and audit logging.
Full text
Encryption
- TLS encryption for all data transmission
- AES-256 encryption for data at rest
- Additional encryption layer for sensitive documents
- Signed, expiring links for document downloads
Access control
- Firebase Authentication with email/password and email verification
- Role-based access checks enforced server-side
- Client database writes blocked — every write goes through authenticated server-side APIs
- Single-use document upload links verified against the recipient’s email
Abuse prevention
- Rate limiting on sensitive endpoints
- Single-use tokens that expire after use
Accountability
- Server-side audit log of admin and security-relevant actions
- Credit and payment changes logged to an audit trail
04Data handling & privacy
We collect only what we need, purge automatically, and never share data without explicit consent.
Data handling & privacy
We collect only what we need, purge automatically, and never share data without explicit consent.
Full text
Data minimization
- Collect only necessary information
- Automatic data purging policies
- Ephemeral storage for sensitive data
- Regular data retention reviews
Data protection
- No data sharing without explicit consent
- Secure data transmission protocols
- Server-side audit logging of sensitive actions
- Owner-only access to user profile data
Transparency
Clear data usage policies and user controls
User control
Users can manage their data and privacy settings
Compliance
Full compliance with privacy regulations
05Incident response
Documented response procedures, automated health checks, and transparent user notification.
Incident response
Documented response procedures, automated health checks, and transparent user notification.
Full text
Response
- Documented incident response procedures
- Automated system health checks and alerting
- Server-side audit log to support investigations
Communication
- Transparent incident reporting
- User notification procedures
- Regular security updates
- Emergency contact channels
06Trust indicators
TLS in transit · AES-256 at rest · signed, expiring document links.
Trust indicators
TLS in transit · AES-256 at rest · signed, expiring document links.
Full text
TLS
Encryption in transit
All traffic between you and our servers is encrypted
AES-256
Encryption at rest
The same standard banks use
Signed
Document links
Downloads use expiring, signed links
07Security contact
Report a concern: support@theloanofficer.io.
Security contact
Report a concern: support@theloanofficer.io.
Full text
If you have security concerns or need to report a security incident, please contact our security team:
Security email: support@theloanofficer.io
The plain-language summaries are explanatory only. In any conflict between the summary and the body text, the body text governs.