Security,
by design.
FullSeam handles the financial data your business runs on. We built our security program around that responsibility from day one — independently audited, continuously verified.
Certified
Independently audited against the AICPA Trust Services Criteria for Security, Confidentiality, and Availability.
In Progress
Continuous controls audit currently underway, building on our Type 1 foundation.
In Progress
Implementing administrative, physical, and technical safeguards aligned with the HIPAA Security Rule.
Six principles, audited and enforced.
Encrypted in transit and at rest
TLS 1.2+ on every connection. Customer data, databases, and backups encrypted at rest. Secrets stored in a managed vault — never in source code.
Least-privilege access
Production access is restricted to a small set of authorized personnel, gated by role-based controls and reviewed on a regular cadence. Access is revoked within one business day of any role change.
Hardened cloud infrastructure
Isolated VPC on AWS with private application and data tiers, a WAF at the edge, and no public ingress to the database. Production data stays in North America.
Continuous vulnerability management
Continuous scanning across source code, dependencies, and infrastructure, plus an annual third-party penetration test. Patches prioritized by exploitability.
Resilient backups
Point-in-time recovery with encrypted backups across multiple availability zones. Backups are monitored for completion and restricted to key personnel.
Documented incident response
A documented plan covering identification, escalation, customer notification, and remediation — kept current and rehearsed.
Need our security package?
We're happy to share our SOC 2 report, security questionnaire, or DPA under NDA. Reach out to support@fullseam.com and we'll respond within one business day.
Found a vulnerability? Please disclose it responsibly to the same address.