Legal

Security at Capzy

Last updated · 9 July 2026

A plain-English summary of how we protect the financial, identity and business information that moves through Capzy. Lending partners can request our full Information Security Policy below.

01Built on certified platforms

Capzy runs on managed infrastructure rather than self-operated servers. Our database, authentication and file storage are provided by Supabase (SOC 2 Type 2 compliant, ISO 27001 certified) and the application is hosted on Netlify (SOC 2 Type 2, ISO 27001 and PCI DSS audited). Our primary data store is hosted in the United Kingdom (AWS London region), so applicant data at rest does not leave the UK.

02Encryption

  • In transitall traffic is encrypted with TLS, and HTTP Strict Transport Security is enforced across the entire platform.
  • At restall data is encrypted with AES-256 by our hosting platforms. On top of that, bank connection tokens and payout account details are additionally encrypted at the application level with AES-256-GCM before they are stored.
  • Cardswe never see or store full card numbers; card collection is handled by Stripe.

03Access control

Access is deny-by-default and role-scoped. Borrower, broker, lender and partner roles are separated, permissions are enforced server-side on every API route (not just hidden in the interface), and the database applies row-level security as a second layer. Every staff account must pass mandatory two-factor authentication before it can reach any staff surface or staff API.

04Audit trail and integrations

Sensitive actions — application changes, document access, bank connections, payouts, user administration and administrative support access — are recorded in an append-only, hash-chained audit log, so records cannot be silently altered after the fact. Every inbound integration webhook (Open Banking, identity verification, payments, SMS) is signature-verified, and document links and upload links are short-lived and expire automatically.

05Data protection

Capzy Limited is registered with the Information Commissioner's Office (registration ZC194056). Borrowers can export their data or request deletion directly in the product, and retention follows FCA record-keeping rules and the Money Laundering Regulations — the detail is in our Privacy Policy.

06Request our full policy

Lenders and partners: our full Information Security Policy is available for introducer due diligence — email hello@capzy.comwith your firm name and we'll send the current signed-off version.
Found a security issue? Report it to hello@capzy.comand we'll respond promptly.