Security

Last updated: April 2026

Loanwright is built for mortgage professionals who handle sensitive personal and financial information daily. Security is not an add-on; it is foundational to every technical decision we make.

This page summarizes the technical and organizational controls Loanwright uses to protect your data. If your compliance team needs additional detail for vendor due diligence, contact us at hello@loanwright.io.

Encryption

  • TLS encryption in transit on all connections
  • Encryption at rest via infrastructure providers (Neon PostgreSQL, Vercel)
  • No unencrypted data transfer between services

Authentication and access

  • OAuth 2.0 via Google and GitHub (MFA delegated to identity provider)
  • Session-scoped database queries; every user sees only their own data
  • Server-side ownership verification on every read and write
  • 8-hour session maximum for financial services suitability
  • 30-minute inactivity timeout with on-screen warning before automatic sign-out
  • Mandatory affirmative consent before account creation

Upload and document security

  • Magic byte validation on all uploaded files (7 supported formats)
  • Filename sanitization and length limits
  • Private blob storage with server-mediated downloads
  • No direct public URLs to uploaded documents
  • File size limits enforced server-side (10 MB max)

Infrastructure

  • Hosted on Vercel with automatic DDoS protection and edge network
  • Database hosted on Neon PostgreSQL with SSL-enforced connections
  • Security headers on all responses: CSP, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • X-Powered-By header removed to reduce fingerprinting
  • Secrets stored in environment variables; never exposed to client bundles

Input validation and rate limiting

  • Server-side input validation on every action (string length, enum membership, UUID format, URL host allowlists)
  • Distributed rate limiting via Upstash Redis on all mutation actions, uploads, and API endpoints. Fail-closed in production: if rate limiting infrastructure is unavailable, requests are denied rather than allowed.
  • Automatic temporary suspension: users who repeatedly exceed rate limits are automatically suspended for a temporary period. All violations and suspensions are logged to the audit trail for admin review.
  • Stripe webhook signature verification with idempotency protection
  • Free-tier limits enforced within database transactions to prevent race conditions

Audit logging

  • All sensitive operations logged to a tamper-evident audit trail
  • Logged events include: authentication, loan file operations, document uploads/deletions, checklist changes, condition tracking, payment events, AI queries, and inaccuracy reports
  • Admin-only audit log viewer with filtering and pagination

Third-party processors

  • Google and GitHub: authentication only
  • Neon PostgreSQL: database hosting (encrypted at rest and in transit)
  • Vercel: application hosting and private blob storage
  • Stripe: payment processing (PCI DSS compliant; card data never touches our servers)
  • OpenAI: Guideline Search query processing only (no personal or borrower data transmitted; API data not used for model training)

Operational practices

  • Error boundaries prevent information leakage from unhandled errors
  • Redirect URLs validated against provider allowlists before navigation
  • No data sold, shared for marketing, or used beyond service delivery
  • Data deletion available on request within 30 days
  • Privacy Policy and Terms of Service reviewed with every feature release

GLBA vendor compliance

Mortgage brokerages subject to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule are required to verify that their service providers adequately protect consumer data. Loanwright's controls (encryption, access controls, audit logging, private document storage, and MFA via OAuth providers) are designed to satisfy these requirements. For a detailed vendor security questionnaire response or additional documentation, contact hello@loanwright.io.

AI system security

Guideline Search uses AI to summarize published agency mortgage guidelines. User queries are processed server-side; only the question text is sent to OpenAI. No personal information, borrower data, or loan file content is included. OpenAI does not use API data for model training. For full details on our AI practices, see the AI Disclosure.

Related documents

← Back to home