Bankful’s Commitment to Secure and Compliant Operations
SOC 1 (System and Organization Controls 1) is an independent audit that evaluates the design and effectiveness of internal controls related to financial reporting. Bankful has completed its SOC 1 Type 1 audit, confirming that it has formally designed controls to protect financial data and maintain operational integrity across its systems.
Is Bankful SOC 1 compliant?
Yes. As of August 31, 2025, Bankful successfully completed its SOC 1 Type 1 audit, verified by an independent third-party auditor. The audit confirms that Bankful’s controls were properly designed and operating as of the audit date.
What does the SOC 1 audit cover at Bankful?
The audit includes the Bankful Payment Platform and Infrastructure System. It evaluates control design and implementation related to:
- Merchant and partner onboarding
- Transaction authorization and refund routing
- Logical and physical access control
- System monitoring, backups, and incident response
- Change management
- Residual payments to sales partners
- Risk management and business continuity
Does Bankful store or process cardholder data?
No. Bankful does not store or process raw cardholder data. The platform functions as a tokenized orchestration layer between merchants and payment processors. All card data is tokenized and encrypted to minimize exposure and risk.
How does Bankful protect user data and systems?
Bankful applies industry-standard security measures, including:
- Encryption at rest and in transit
- Multi-factor authentication (MFA) for access
- Quarterly access reviews
- 24/7 monitoring with alerts and intrusion detection
- Annual risk assessments and vulnerability scans
- Regular business continuity and disaster recovery testing
Where is Bankful hosted?
Bankful uses Amazon Web Services (AWS) across multiple U.S. regions. AWS serves as a subservice organization monitored under the carve-out method. Backup and disaster recovery protocols ensure system availability.
Who oversees security at Bankful?
A dedicated Security Officer manages Bankful’s security program, supported by IT, Engineering, and executive teams. The Security Steering Committee meets quarterly and provides an annual report to the Board of Directors.
What controls are in place for change management?
All production system changes must:
- Be approved by IT management
- Be logged and tested before deployment
- Include rollback and validation procedures
- Be performed only by authorized personnel under strict access controls
How does Bankful handle incidents or breaches?
Bankful maintains a documented incident response plan. Any suspicious activity is recorded, escalated, and managed by a trained team. Impacted parties are notified in compliance with applicable laws and contractual obligations.
Can I request a copy of Bankful’s SOC 1 report?
Yes. Current or prospective customers can request a copy of Bankful’s SOC 1 Type 1 report by contacting their Account Manager or submitting a request through the Bankful Support Portal.
For the fastest response time and full tracking, submit a support ticket here.
Legal Disclaimer
This FAQ is for informational purposes only and does not constitute legal or compliance advice. Refer to your signed merchant agreement and Bankful’s official compliance documentation for detailed terms and obligations.