Built to be trusted.
How we protect data, and how to report a problem. Effective June 2026.
Data governance isn’t a feature we bolted on; it’s the foundation. Customer and counterparty data sits on a bank-grade ledger, each party’s information isolated from every other’s, under audit logs that can’t be edited or erased. The standards below are how we hold that line.
I. How we protect it.
Encryption in transit and at rest. Least-privilege access, granted by role and reviewed. A strict separation of duties — a Chinese wall — between parties whose interests shouldn’t mix. Every access leaves an immutable trail a person can audit. And we diligence the vendors we depend on before we trust them with anything.
II. Reporting a vulnerability.
If you’ve found a security issue, tell us — we’d rather hear it from you than read about it later. Write counsel@estableco.com with the subject “Security,” the steps to reproduce, and anything we need to confirm it. We’ll acknowledge that we received it and keep you posted as we work it.
III. Working in good faith.
We won’t pursue good-faith research that respects privacy, avoids degrading the service, and accesses no more data than is needed to demonstrate the issue. Give us reasonable time to fix what you find before disclosing it publicly. We don’t yet run a paid bounty; we do credit the people who help us, with their permission.
IV. Machine-readable.
Our disclosure contact is also published at /.well-known/security.txt, per RFC 9116. Anything not covered here goes to counsel@estableco.com.