Skip To Main Content

Information security

Last updated: January 21, 2026. We will update this Information Security page as needed to reflect any changes in our practices or obligations. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Governance and oversight

Effective security requires more than technical controls—it demands organizational commitment, clear accountability, and strategic oversight. Our security governance framework ensures security considerations are integrated into business decisions at every level including our executive level.

A man wearing glasses smiling while using his phone

We monitor what matters

Our security controls operate in real-time, not just during annual audits. Through automated monitoring and evidence collection, we maintain visibility into our security posture every day, enabling us to identify and address potential issues before they become problems.

A hand holding a phone

We believe in transparency

Rather than hiding behind legal jargon, we proactively share information about our security practices, certifications, and compliance framework adherence. This trust center exists to answer your questions before you have to ask them.

A woman smiling while holding her hands

Security is a partnership

While we implement robust controls to protect the infrastructure and data we manage, effective security requires collaboration. We provide the tools, documentation, and support you need to configure appropriate access controls and security settings for your environment.

Two people's arms shown to be shaking each other's hands

Security program framework 

Our information security program aligns with industry-recognized frameworks including ISO 27001 and NIST Cybersecurity Framework principles. This structured approach ensures comprehensive coverage across:

Infrastructure security

We design our systems with defense-in-depth architecture, implementing multiple layers of protection. Data is encrypted in transit and at rest using industry-standard protocols. Our infrastructure leverages enterprise cloud providers' physical security controls while we maintain responsibility for securing our application layer and client data.

Access management

We operate on a principle of least privilege, ensuring individuals access only the resources necessary for their role. Multi-factor authentication protects access to sensitive systems. We regularly review and revoke access when no longer required.

Operational resilience

Our services are designed to remain available even when individual components fail. We distribute infrastructure across multiple availability zones, maintain regular backups, and test our disaster recovery procedures to ensure business continuity.

Secure development

Security is integrated throughout our development lifecycle. We conduct code reviews, implement automated security testing in our CI/CD pipeline, and engage third-party security experts to perform penetration testing and identify vulnerabilities before deployment.

Vendor risk management

We evaluate the security practices of third-party service providers before engagement and monitor them continuously. Our subprocessor list is available in this trust center, reflecting our commitment to transparency about who handles your data.

Compliance & certifications

We maintain certifications and attestations that demonstrate our adherence to rigorous security standards. These independent assessments validate our controls and provide assurance that we're doing what we say we're doing.

Current certifications and compliance frameworks include PCI, FFIEC, SOC 2 Type II. Upon request and subject to appropriate confidentiality agreements, we can provide detailed audit reports, penetration test summaries, and other compliance documentation.

We continuously monitor regulatory developments to ensure our practices evolve with changing requirements across jurisdictions where we operate.

A hand holding a phone that's showing the Candescent digital banking dashboard

Your role in security

We've designed our platform with security features that help you fulfill these responsibilities effectively. Our documentation provides guidance on security best practices and recommendations.

Effective security requires shared responsibility. While we secure our infrastructure and platform, you maintain control over: 

User access management

Determining who within your organization should have access to our platform and what permissions they require

Data
governance

Deciding what information to input, how long to retain it, and when to delete it

Configuration security

Enabling available security features such as single sign-on, IP allowlisting, and session controls

Incident reporting

Alerting us to suspicious activity or potential security concerns . We've designed our platform with security features that help you fulfill these responsibilities effectively. Our documentation provides guidance on security best practices and recommendations

Incident response & transparency

Despite robust preventive measures, no organization can guarantee perfect security. Our incident response program ensures we can detect, respond to, and communicate about security events appropriately.

If we identify a security incident that affects your data, we will notify affected clients in accordance with applicable legal requirements and our contractual commitments. We maintain relationships with leading security experts and can rapidly engage additional expertise when needed.

We publish updates about significant security events in this trust center to keep our clients informed.

Candescent digital banking platform log in screen

Continuous improvement

Security is never finished. We continuously enhance our program through: 

Regular third party audits, security
assessments and penetration testing

Gathering client feedback about security features and concerns

Internal security training and awareness programs

Monitoring emerging threats and adapting our defenses

Eyebrow

Questions &
documentation access

We've compiled documentation to address frequently asked questions, common requests and security inquiries. For more detailed information you can submit a request through your account manager. 
TRUST CENTER

Additional trust and privacy

Visit our Trust Center to explore the measures we take to protect your information, including safety and privacy compliance standards.

AI

Understand how data privacy and security are fundamental to our AI approach

See AI
Two women conversing while looking at a phone

Privacy

Our policies, tools and procedures are built to protect your data and help you meet your privacy obligations

See Privacy

Legal disclaimers

The information provided in this trust center describes our current security practices and is subject to change. While we strive to maintain accurate information, this content is for informational purposes and does not constitute a contractual commitment. Specific security commitments are governed by your applicable service agreement.