Data Management, Security & Privacy

LendingWise treats data management, security, and privacy as a first-class product feature, not a compliance checkbox. The platform holds some of the most sensitive data in your business — borrower PII, financial documents, loan tape, and proprietary pricing — and the architecture, controls, and operational practices documented below reflect that reality.We align with SOC 2 standards and follow industry best practices for cloud-hosted financial services applications. For the legal-binding details, review our privacy policy & standard terms & conditions.

**Data Ownership **
You own 100% of your data. LendingWise has no ownership claim, no resale rights, and no rights to use your tenant data for cross-customer analytics, benchmarking, or AI/ML model training without your explicit written consent. Your data is licensed back to LendingWise solely for the purpose of operating the service you've subscribed to. At contract termination, you receive a full export of all your data and documents in standard formats (CSV/JSON for structured data, original-format files in a zipped bundle) with no exit fees, followed by a 30-day retrieval window and a documented destruction certificate. Hosting Infrastructure LendingWise is hosted entirely on Amazon Web Services (AWS) in U.S. regions. No customer data is ever stored outside the United States.

Primary region: us-east-1 (N. Virginia) Failover region: us-west-2 (Oregon) Architecture: Multi-AZ deployment for both application and database tiers Edge: Cloudflare for CDN, Web Application Firewall (WAF), and DDoS protection Compute: Auto-scaling AWS EC2 application tier Database: AWS RDS with cross-AZ replication and read-replica support Document storage: AWS EFS for file/document persistence; AWS S3 for object storage Secrets: AWS Secrets Manager and Parameter Store with rotation policies

All infrastructure is deployed via Infrastructure-as-Code (Terraform/CloudFormation), ensuring reproducibility, auditability, and consistent configuration across environments. Encryption Every byte of customer data is encrypted at rest and in transit. There are no exceptions. Encryption at Rest

Algorithm: AES-256 Scope: AWS RDS (relational database), AWS S3 (object storage), and AWS EFS (file/document storage) Field-level encryption: Sensitive PII fields (SSN, DOB, bank account numbers, routing numbers) are encrypted at the field level in addition to the database-level encryption Key management: AWS KMS-managed (customer-managed keys / BYOK available on enterprise plans — on roadmap)

Encryption in Transit

Protocol: TLS 1.2+ on all customer-facing endpoints Certificates: Managed via AWS Certificate Manager (ACM) and Cloudflare Legacy data note: Current production standard is TLS 1.2+ across the board, and SSLv3/early TLS are explicitly disabled Internal traffic: All service-to-service communication within the AWS VPC is also TLS-encrypted

Authentication & Access Control Multi-Factor Authentication (MFA) TOTP-based MFA is available for all users on every plan and can be enforced tenant-wide by your administrator. We strongly recommend MFA enforcement for all staff with access to borrower data. Single Sign-On (SSO) SAML 2.0 SSO is supported on enterprise plans via Okta, Azure Active Directory, and Google Workspace. OIDC support is in active development. Role-Based Access Control (RBAC) LendingWise ships with granular built-in roles — Admin, Manager, Loan Officer, Processor, Underwriter, Closer, Servicer, Investor, Broker, Borrower — plus the ability to create custom roles. Permissions are configurable at the module, screen, and field level. For example, you can prevent offshore processing staff from ever seeing borrower SSNs while still giving them full access to the rest of the loan file. Session & Password Controls

Configurable idle timeout per tenant Concurrent session detection Configurable password complexity, length, and rotation rules (industry-standard defaults) Account lockout after failed login attempts

Additional Access Controls****

IP allow-listing: Available per tenant on enterprise plan Geo-fencing: Login restriction by country configurable via Cloudflare WAF rules Privileged access: Break-glass admin access is time-limited, ticketed, and logged

Audit Trail Every user action, every field change, every document version, and every login is captured and retained. This includes:

User logins and authentication events All data exports and downloads Field-level change history with timestamp and user attribution Document upload, download, view, and version history Workflow step transitions Administrative actions (user creation, permission changes, role changes) API calls (for tenants using the Open API)

Audit logs are exportable for internal compliance review and regulator examination. Database-level audit logging (DDL/DML) is enabled at the AWS RDS layer for additional forensic capability. Backup Process Document and File Backups All uploaded supporting documents (borrower docs, appraisals, closing packages, etc.) are stored on AWS EFS, which provides multi-AZ redundancy by default. A scheduled weekly backup process creates additional long-term storage copies. Database Backups

**Transaction logs: **Continuous backup (sub-5-minute granularity) Snapshots: Three full database snapshots taken per day at distributed intervals Retention: 35-day rolling point-in-time recovery (longer retention available on enterprise plans) Replication: Cross-AZ replication on production databases for high availability

Backup Integrity Backup restoration is tested regularly to validate that snapshots are actually recoverable, not just successfully written. We don't rely on the existence of a backup — we rely on the demonstrated ability to restore from it. Disaster Recovery LendingWise maintains a documented Disaster Recovery (DR) plan with defined recovery objectives:

Recovery Time Objective (RTO): ≤ 4 hours Recovery Point Objective (RPO): ≤ 5 minutes

**Server-Level Recovery Daily **server snapshots are maintained for every production server. In the event of a server failure, the failed instance can be replaced by spinning up the most recent snapshot inside our AWS network, reassigning the original IP address, and bringing the new instance online — typically within minutes. The replacement instance assumes the role of the failed machine with no data loss beyond the snapshot interval. Database Recovery Database snapshots are recoverable in approximately 15 minutes. Because snapshots are taken three times daily and continuous transaction-log backups run between snapshots, any data loss during a recovery scenario should be minimal (well within the 5-minute RPO). Document Storage Recovery Document storage is backed up for long-term durability. Uploaded files are stored on AWS EFS with multi-AZ replication; additional periodic backups ensure long-term recoverability even in worst-case scenarios. Cross-Region Failover Automated failover playbooks are in place between us-east-1 and us-west-2. A full region cutover is gated by a human decision (not fully automatic) to prevent unnecessary failovers from transient AWS issues, but the playbook itself is automated end-to-end. DR is tested annually with documented results available to enterprise customers on request. Workforce Continuity LendingWise's engineering and customer success teams have operated fully remote since inception. The company has no physical-office dependency, meaning workforce-disruption events (pandemic, natural disaster affecting a single location) do not impact our ability to support customers. Compliance LendingWise aligns with the following frameworks and regulations: FrameworkStatusSOC 2 (alignment)Aligned to SOC 2 Type II controls; Type I report in progress; Type II audit targeted for completionGLBA Safeguards RuleAligned; Written Information Security Program (WISP) documented and reviewed annuallyCCPA & state privacy lawsCCPA-aligned data subject request workflow and documented privacy policyPCI DSSNo full PAN stored; payment data handled exclusively by PCI-compliant subprocessors (Chargebee for SaaS billing)NIST Cybersecurity FrameworkInternal controls mapped to NIST CSFHMDA / CRASupported via Trinity integration for tenants subject to HMDA/CRA reporting Application Security LendingWise embeds security into the software development lifecycle, not as a post-release audit.

Static Application Security Testing (SAST): Integrated into the CI/CD build pipeline Software Composition Analysis (SCA): Automated open-source dependency scanning on every build Dynamic Application Security Testing (DAST): Periodic, conducted by independent security firm Annual Third-Party Penetration Test: Conducted by an independent security firm; executive summary letter available on request; full report available under NDA Vulnerability Management: Continuous dependency scanning; monthly infrastructure scans; documented patch SLAs Anti-virus / Anti-malware: Server-side scanning on every document upload API Rate Limiting: Per-tenant and per-key rate limits to prevent abuse Web Application Firewall (WAF): Cloudflare WAF in front of all customer traffic DDoS Protection: Cloudflare DDoS mitigation (standard and enterprise tiers)

Subprocessors LendingWise uses a small, deliberate set of subprocessors. We maintain a published subprocessor list and provide 30 days' notice for any material change. No customer PII is ever shared with our internal marketing or project management tools. SubprocessorPurposeAmazon Web Services (AWS)Cloud hosting and infrastructureCloudflareCDN, WAF, DDoS protectionSendGridTransactional and outbound emailChargebeeSaaS billing (PCI-compliant)BugSnagApplication error monitoring Personnel Security

Incident Response LendingWise maintains a documented Incident Response (IR) plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident impacting customer data:

Customers will be notified within 72 hours of confirmation Status page updates are posted for any customer-facing impact A post-incident report is provided to affected customers detailing root cause, remediation, and prevention measures

Customer Responsibilities Security is a shared responsibility. While LendingWise is responsible for the platform's infrastructure, application, and operational security, customers are responsible for:

Enforcing MFA on their tenant Managing user accounts and access reviews (off-boarding departing employees promptly) Configuring role-based permissions appropriately for their workflow Protecting administrative credentials Training their internal staff on phishing, credential hygiene, and acceptable use Notifying LendingWise of any suspected security event affecting their tenant

Reporting a Vulnerability If you discover a security vulnerability in LendingWise, please report it responsibly to [email protected]. We commit to acknowledging reports within one business day and providing a status update within five business days.