Security

How we handle bank statements.

Underwriting data is the most sensitive material in a funder's business. Here is exactly what happens to it inside Vyaso: what we do, what we do not do yet, and what is in progress.

Key takeaways

  • Statements travel over HTTPS only.
  • Analysis runs on dedicated infrastructure. No multi-tenant bleed.
  • PDFs are not retained beyond the analysis run by default; retention is configurable per pilot.
  • Access is gated. Single sign-on and role-based permissions are on the near roadmap.
  • SOC 2 Type II is in progress. Pilot conversations communicate a target audit completion date.

What happens to a file from upload to result.

  1. 01

    Upload

    Bank statement PDFs (or CSVs) are uploaded over HTTPS to Vyaso's analysis service. The file is held in memory during parsing.

  2. 02

    Parse

    Vyaso extracts transactions, normalizes dates, amounts, and descriptions, and produces a structured representation of every line in the statement.

  3. 03

    Analyze

    The structured transactions pass through nine independent detection layers and an agentic synthesis step. The original PDF is referenced for forgery checks but otherwise not re-processed.

  4. 04

    Store

    The analysis result (risk score, adjusted revenue, ranked flags, transaction annotations, executive summary) is stored in a per-pilot database for retrieval and re-comparison.

  5. 05

    Retain

    The original PDF is not retained beyond the analysis run by default. Per-pilot retention policies are configurable to match your data-handling requirements.

Infrastructure.

Dedicated cloud infrastructure

Analysis runs on dedicated cloud infrastructure provisioned per pilot engagement. No multi-tenant data plane.

HTTPS-only transfer

All data transfer between client and server is over HTTPS with modern TLS. Plaintext upload is rejected.

Roadmap

Encryption at rest

Per-pilot encrypted storage volumes with key management is on the near-term roadmap. Pilot conversations communicate the current state and target.

Who can see what.

Available today

  • Per-pilot credential gating
  • Per-pilot environment isolation
  • CSV and JSON export of every analysis

On the roadmap

  • Single sign-on (SAML / OIDC)
  • Role-based permissions
  • Audit log of every action and analysis
  • Per-user account provisioning and deprovisioning

Compliance, honestly.

RoadmapIn progress

SOC 2 Type II

Vyaso is in active SOC 2 Type II preparation. Pilot conversations include the current state, the target audit completion date, and the auditing firm. We do not claim certification we do not yet hold.

Aligned

GLBA-aligned data handling

We process underwriting data with controls aligned to GLBA principles. Formal attestations beyond GLBA alignment are part of the SOC 2 work above.

Found a security issue?

Email security@vyaso.ai with details of any vulnerability you discover. Please do not publicly disclose until we have had a reasonable opportunity to investigate and respond. We acknowledge reports within 48 hours.

What we don't claim.

  • We do not claim SOC 2 certification we have not yet earned.
  • We do not claim HIPAA compliance. It is not relevant to MCA underwriting and would be misleading.
  • We do not run customer data through any model for training or improvement.
  • We do not retain the original PDF beyond the analysis run by default.
  • We do not claim capabilities we cannot demonstrate in the live product.

Frequently asked.

Run Vyaso on your portfolio.

Free 30-day pilot. Bring 50–100 files. We'll show you what the model would have flagged, what would have been approved, and how the adjusted revenue compares.

Request a pilot

No commitment. No setup fee.