Compliance Without Compromise

Lending comes with strict regulations but staying compliant shouldn’t slow you down. Fundamento ensures your data stays protected and your operations meet the highest security standards, every step of the way.

Certified Secure, Trusted Everywhere

Fundamento meets the highest security standards with globally recognized certifications, ensuring your data remains protected, compliant, and always in safe hands.

Team Member

SOC 2

We adhere to rigorous security, availability, and confidentiality controls to safeguard your customer data.

Team Member

ISO 27001

Our globally recognized certification ensures a robust framework for managing and protecting information security.

Team Member

GDPR

We are committed to data privacy and compliance, ensuring borrower information is handled with the highest standards of protection.

Team Member

PCI DSS

We follow strict payment security protocols to protect sensitive financial data and prevent fraud.

Security That Evolves With You

Regular Audits & Compliance Reviews

We conduct frequent security audits and compliance checks to stay aligned with evolving regulatory and industry standards. This ensures that our security framework remains robust and meets the highest compliance benchmarks.

Proactive Threat Monitoring

Our systems are continuously monitored for potential vulnerabilities, with real-time threat detection and rapid response mechanisms in place. By leveraging AI-driven anomaly detection, we proactively mitigate risks before they become threats.

Secure Development & Access Controls

Every product update undergoes rigorous security testing, and access to sensitive data is restricted through strict role-based permissions. This guarantees that only authorized personnel can handle critical information, minimizing security risks.

Compliance at Every Step of the Way

Infrastructure Security
  • Unique Production Database Authentication Enforced

    The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

  • Encryption Key Access Restricted

    The company restricts privileged access to encryption keys to authorized users with a business need.

  • Unique Account Authentication Enforced

    The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

  • Additional Security Measures

    More details about security measures implemented by the company...

  • Data Backup Strategies

    Regular automated backups to ensure data integrity...

  • Network Security Enhancements

    Enhanced firewall and monitoring to prevent unauthorized access...

Organizational Security
  • Production Inventory Maintained

    The company maintains a formal inventory of production system assets.

  • Anti-malware Technology Utilized

    The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

  • Employee Background Checks Performed

    The company performs background checks on new employees.

  • Confidentiality Agreement Acknowledged by Contractors

    The company requires contractors to sign a confidentiality agreement at the time of engagement.

  • Confidentiality Agreement Acknowledged by Employees

    The company requires employees to sign a confidentiality agreement during onboarding.

  • Performance Evaluations Conducted

    The company managers are required to complete performance evaluations for direct reports at least annually.

  • Password Policy Enforced

    The company requires passwords for in-scope system components to be configured according to the company's policy.

  • MDM System Utilized

    The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

Product Security
  • Data Encryption Utilized

    The company's datastores housing sensitive customer data are encrypted at rest.

  • Control Self-Assessments Conducted

    The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

  • Vulnerability And System Monitoring Procedures Established

    The company's formal policies outline the requirements for the following functions related to IT / Engineering:

    • Vulnerability Management
    • System Monitoring
Internal Security Procedures
  • Production Deployment Access Restricted

    The company restricts access to migrate changes to production to authorized personnel.

  • Soc 2 - System Description

    Complete a description of your system for Section III of the audit report

  • Board Oversight Briefings Conducted

    The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

  • Board Expertise Developed

    The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

  • Board Meetings Conducted

    The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

  • System Changes Externally Communicated

    The company notifies customers of critical system changes that may affect their processing.

  • Organization Structure Documented

    The company maintains an organizational chart that describes the organizational structure and reporting lines.

  • Roles And Responsibilities Specified

    Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

  • System Changes Communicated

    The company communicates system changes to authorized internal users.

  • Access Requests Required

    The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

  • Company Commitments Externally Communicated

    The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

  • Risk Assessment Objectives Specified

    The company specifies its objectives to enable the identification and assessment of risk related to the objectives.

  • Risks Assessments Performed

    The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

  • Third-Party Agreements Established

    The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Leading the Way in Responsible AI

At fundamento, we are committed to building AI that is responsible, transparent, and beneficial. We actively collaborate with regulators and industry alliances, including the coalition for responsible evolution of AI, where we’ve contributed to closed-door sessions on ethical AI in financial services. Our expertise helps lenders navigate evolving regulations while ensuring AI-driven interactions remain fair, secure, and customer-centric.

Graph Placeholder

Enterprise-Grade Security, One Call Away

Want to learn more about how fundamento ensures top-tier info sec compliance? Book a demo, and we’ll walk you through our security-first approach.