A plain-English summary of how we protect the financial, identity and business information that moves through Capzy. Lending partners can request our full Information Security Policy below.
Capzy runs on managed infrastructure rather than self-operated servers. Our database, authentication and file storage are provided by Supabase (SOC 2 Type 2 compliant, ISO 27001 certified) and the application is hosted on Netlify (SOC 2 Type 2, ISO 27001 and PCI DSS audited). Our primary data store is hosted in the United Kingdom (AWS London region), so applicant data at rest does not leave the UK.
Access is deny-by-default and role-scoped. Borrower, broker, lender and partner roles are separated, permissions are enforced server-side on every API route (not just hidden in the interface), and the database applies row-level security as a second layer. Every staff account must pass mandatory two-factor authentication before it can reach any staff surface or staff API.
Sensitive actions — application changes, document access, bank connections, payouts, user administration and administrative support access — are recorded in an append-only, hash-chained audit log, so records cannot be silently altered after the fact. Every inbound integration webhook (Open Banking, identity verification, payments, SMS) is signature-verified, and document links and upload links are short-lived and expire automatically.
Capzy Limited is registered with the Information Commissioner's Office (registration ZC194056). Borrowers can export their data or request deletion directly in the product, and retention follows FCA record-keeping rules and the Money Laundering Regulations — the detail is in our Privacy Policy.