Back to website

SOC 1 Type II compliance

Bankful is committed to secure, compliant, and reliable operations—so you can trust every transaction.

We have successfully completed our SOC 1 Type II audit, confirming that our internal controls are not only properly designed, but have been independently tested over time to ensure they operate effectively.

This milestone reinforces our continued investment in secure infrastructure, accurate reporting, and strong operational governance.

What is SOC 1 Type II and why does it matter?

SOC 1 (System and Organization Controls 1) is an independent, third-party audit that evaluates how companies manage controls relevant to financial reporting.

A Type II report goes further than Type I:

  • Type I evaluates whether controls are properly designed at a single point in time.
  • Type II verifies that those controls were tested over a defined audit period and operated effectively.

For platforms like Bankful, this means:

  • Transaction handling is accurate and controlled
  • Financial reporting processes are reliable
  • Access to systems is properly restricted
  • Operational risks are monitored and managed

For merchants and partners, this provides added assurance that the systems supporting your revenue, reconciliation, and reporting are functioning consistently—not just in theory, but in practice.

What was audited?

The SOC 1 Type II audit covered the Bankful Payment Platform and Infrastructure System, including controls related to:

  • Merchant and partner onboarding
  • Transaction routing and refunds
  • Access controls (physical and logical)
  • System monitoring and incident response
  • Change management
  • Partner payouts and settlement processes
  • Business continuity and risk management

These controls were independently tested over the audit period to validate effectiveness.

Does Bankful store card data?

Bankful does not store full primary cardholder data (PAN).

We leverage PCI-compliant partners and tokenization technologies to securely process payment information. Sensitive payment data is handled in accordance with PCI DSS requirements and industry best practices.

How does Bankful keep data safe?

Bankful applies a comprehensive set of security and operational safeguards to protect merchant data and maintain platform reliability, including:

  • Encryption at rest and in transit
  • Multi-factor authentication (MFA)
  • Quarterly access reviews
  • Role-based access controls
  • 24/7 monitoring with alerting and intrusion detection
  • Regular risk assessments and vulnerability scans
  • Formal change management procedures
  • Disaster recovery testing across multiple U.S.-based AWS regions

Our controls are continuously monitored and formally reviewed as part of our compliance program.

Who oversees security?

Bankful maintains a formal security and compliance program led by a designated Security Officer.

Oversight is provided by a Security Steering Committee, with regular reporting to executive leadership and the Board of Directors. This governance structure ensures accountability, risk transparency, and continuous improvement.

How are system changes and incidents handled?

All changes to production systems follow a documented change management process:

  • Changes are reviewed and approved by authorized personnel
  • Code and infrastructure updates are tested prior to release
  • Production access is restricted to authorized team members
  • All changes are logged and auditable

If an incident occurs, Bankful follows a documented incident response plan that includes:

  • Escalation and containment
  • Investigation and root cause analysis
  • Documentation and remediation
  • Notification, if required, in accordance with legal and contractual obligations

Accessing Bankful’s SOC 1 Type II Report

Because the SOC 1 Type II report contains confidential operational details, it is available only under NDA to qualified customers, partners, and auditors.

To request access, please contact: support@bankful.com

Disclaimer

This page is provided for informational purposes only and does not constitute legal, accounting, or compliance advice. Refer to your merchant agreement and official documentation for full details.

Bankful’s commitment to security and assurance

From underwriting and transaction monitoring to settlement and reporting, Bankful’s infrastructure is built on integrity, precision, and protection.

Achieving SOC 1 Type II compliance demonstrates that our controls are not only designed properly—but consistently operating as intended.

We remain committed to maintaining secure systems, transparent operations, and the highest standards of financial integrity—so our merchants can focus on growth with confidence.