The regulated hard part, built into the platform.
Moving other people's money is a regulated obligation, not a feature. Isolation, approvals, screening, return-rate monitoring and a complete audit trail are structural properties of the platform — enforced at the data and state-machine layer, where application code can't forget them.
Know the business before it moves a dollar.
Every tenant onboards through verification.
A business is verified before it is activated — and a tenant that hasn't cleared onboarding can't transact. Go-live is a checked transition the platform itself enforces; a tenant cannot be activated on demo data except by a named, logged override.
- Business identity captured and verified at onboarding
- Activation gated on a real go-live check, not a flag someone flips
Screen the receiver, verify the account.
Counterparties are screened against sanctions lists at the seam where money would move to them, and receiving accounts are verified — via micro-deposit and instant methods — before they can take a dollar. A payment to an unverified or screened party is refused, not queued.
- OFAC/sanctions screening at the counterparty boundary
- Micro-deposit and instant account verification
Score the payment, not just the account.
Payments carry a risk assessment on creation, with per-tenant decline limits and review thresholds. Risky movement routes to review instead of straight to the rail — the decision is made before the money is committed, where it can still be stopped.
- Per-payment risk scoring with configurable limits
- Review routing before the irreversible act
Approvals, isolation and audit — by construction.
Dual approval that means something
Above a per-tenant threshold, a payment needs a second approver. For trust money, the policy is require-approval-for-all. The gate sits on the transition into the rail, so an unapproved payment simply never moves — approval isn't advisory.
Tenant isolation at the data layer
Every tenant-scoped row carries its tenant, and every query is filtered underneath the application — not in code that can forget. A cross-tenant read is an explicit, logged, admin-only act, never an accident.
NACHA return monitoring
ACH return rates are tracked per tenant against the 0.5% administrative-return threshold, so an origination problem surfaces as a monitored metric — before it becomes a bank conversation.
A complete audit log
Every admin action — an approval, a config change, an impersonation — is written to an immutable audit log. Who did what, to which tenant, and when, is always answerable.
Impersonation, always logged
Support can act on a tenant's behalf when needed, but never invisibly. Impersonation opens an audit record the moment it begins; access is never a side door around it.
Demo data cannot pay anyone
Every figure carries its origin — fixture or source-of-record. The three irreversible acts — remitting tax, settling an operator, collecting an invoice — refuse any figure whose basis is not a source of record.
What you're told is what happened.
Signed, durable webhooks
Every event writes to an outbox in the same transaction as the change it describes, then delivers with an HMAC-SHA256 signature and retries. Verify the signature; trust the payload. A crash between the change and the notification loses neither.
Lossless secret rotation
Rotate a webhook signing secret without dropping a delivery: for an overlap window, events are signed with both the old and new secret, so a receiver holding either keeps verifying until it cuts over.
Idempotent by default
Every write accepts an idempotency key; a retried request is the same request. A network timeout can never become a duplicate payment or a double-posted entry.
Honest health
The platform separates "the database is up" from "this process initialized against it," and a failed migration kills startup rather than serving from a schema in an unknown state. It reports what is true, not what is convenient.
Controls you can show a regulator.
Isolation, approvals, screening and audit — enforced by the platform, not by policy alone.
Request access → Read our trust page →