Bolrach Security

Bank-grade security
by design.

Security is not a feature we bolted on later. It is the frame the whole platform sits inside. Card data is tokenized and never stored in the clear, every byte is encrypted moving and at rest, and access is locked down with passkeys and least privilege. Here is exactly how we protect your money and your customers.

PCI DSS v4.0.1 assessedPAN never stored in the clear
Security postureHealthy
Live
Connection secured
TLS 1.3 · AES-256-GCM · HSTS enforced
Encryption at restAES-256
Card vault tokenizedPAN hidden
Passkey sign-inEnrolled
WAF and bot filteringBlocking
Audit log streamAppend-only
Posture is checked continuously, not once a quarter
AES-256
Data encrypted at rest
TLS 1.3
In transit, everywhere
v4.0.1
PCI DSS standard assessed
24/7
Security monitoring
0
Card numbers stored raw
How we protect you

Six pillars hold the whole thing up.

Each one is a real control with a real owner, not a line on a slide. Together they cover the card, the connection, the account, and the trail everything leaves behind.

SAQ-A

PCI DSS v4.0.1

Card handling is built to the current Payment Card Industry standard. We validate as a SAQ-A merchant, the card number is tokenized on the way in, and the PAN is never written to our stores in the clear.

Segmented cardholder data environment
Always on

Encryption at rest and in transit

Everything on disk is sealed with AES-256, and everything on the wire rides TLS 1.3. Keys live in a hardware security module and rotate on a set cycle, so a stolen backup just reads as noise.

HSM-backed key rotation
Phishing-resistant

2FA and passkeys

Back a password with an authenticator app or a security key, or drop it entirely with a passkey. Passkeys are bound to your device, so they cannot be phished, replayed, or handed over by mistake.

WebAuthn and FIDO2
Filtering

WAF and bot management

A web application firewall sits in front of every request, and a bot layer sorts real people from scripts. Credential stuffing, injection, and volumetric abuse get stopped at the edge before they reach an account.

Rate limits and risk challenges
Append-only

Immutable audit logs

Every sign-in, role change, payout, and API call writes a record you cannot quietly rewrite. See who did what and when, export it, or stream it straight into your own SIEM.

Tamper-evident and exportable
Balanced

Hash-chained ledger

Money moves as balanced double-entry postings, and each entry is chained to the one before it with a cryptographic hash. Change a single historical row and the chain breaks, so the books cannot be edited behind your back.

Every entry links to the last
Defense in depth. No single control has to be perfect. If one layer slips, the next one is already standing behind it.
Encryption everywhere

Locked in transit.
Locked at rest.

Data is protected from the moment a request leaves the browser to the second it settles on disk, and every stage in between. We do not roll our own crypto. We use well known ciphers, current TLS, and a hardware security module to hold the keys nobody should ever touch by hand.

In transit

TLS 1.3 with strong cipher suites and HSTS. Older protocols are turned off, not just discouraged.

At rest

AES-256 on databases, backups, and file storage. A lost drive gives up nothing readable.

Key management

Keys are generated and stored in an HSM, scoped by service, and rotated on a fixed schedule.

Data journeyEncrypted end to end
Customer device

Payment details captured in a sealed field, never exposed to your page.

TLS 1.3
Edge and WAF

Every request is inspected, filtered, and rate limited before it reaches the core.

Filtered
Tokenization

The card number is swapped for a token. The real PAN goes to the vault, not the app.

Tokenized
Storage

Written to disk sealed with AES-256, with keys held in the HSM.

AES-256
Hash-chained ledgerBalanced

Each block carries the hash of the one before it. Rewrite history and the chain stops matching.

entry #10480debit = credit
Wallet:Merchant+$2,400.00
Payable:Payout-$2,400.00
prev genesishash 7c1b…a90f
|
entry #10481debit = credit
Fees:Platform+$48.00
Revenue:Fees-$48.00
prev 7c1b…a90fhash 9f3a…c1e7
|
entry #10482debit = credit
Payable:Payout+$8,650.00
Bank:Settlement-$8,650.00
prev 9f3a…c1e7hash b204…7d55
Ledger integrity

The books cannot be
quietly edited.

Under the hood, money moves as double-entry accounting. Every transaction is two balanced postings, so totals always reconcile. On top of that, each entry is linked to the one before it with a cryptographic hash, which means the history is append-only in the truest sense. You can trust the number because you can prove nobody changed it.

Double-entry postings

Every movement is a debit and a matching credit. The books net to zero, so money cannot appear or vanish.

Hash-chained history

Each entry carries the hash of the entry before it. Alter one historical row and every hash downstream stops matching.

Reconciled continuously

Balances are recomputed and checked against the chain around the clock, not in a month-end scramble.

Audit stream · account acct_bol_47120Append-only
09:14:02auth.passkeySamuel signed in with a passkey from a trusted deviceok
09:16:47role.updateAda granted the Finance role, developer access revokedchange
09:22:10payout.createPayout of $8,650.00 CAD queued, step-up confirmation passedok
09:31:58key.rotateLive API key rotated, old key set to expire in 24 hoursrotate
09:40:33auth.blockedLogin from an unrecognized range blocked before challengedeny
Access and authentication

Easy for you.
Hard for them.

Passwords alone are weak, so we back them with a second factor and offer passkeys that skip the password altogether. Inside an account, every teammate gets only the access their role needs, and sensitive actions ask for a fresh check. Odd sign-ins get challenged automatically.

Passkeys and 2FA

WebAuthn passkeys, security keys, and authenticator apps. SMS is the fallback, not the default.

Role based access

Owner, admin, developer, support, and finance roles, each scoped to least privilege.

Adaptive risk checks

A new device, a new country, or an odd hour triggers a step-up prompt before we let it through.

Sign-in checkAdaptive
1
Identity presented

Passkey on this device matched the account. No password typed.

Passed
2
Device recognized

Known device, trusted for 30 days, matching fingerprint.

Trusted
3
Location sane

Sign-in from Edmonton, the same region as recent activity.

Normal
4
Payout above threshold

Large transfer requested. Step-up confirmation asked for.

Step up
5
Session scoped

Finance role only. Developer and admin surfaces stay hidden.

Least privilege
Every session ends with an idle timeout and a fresh check
Independent assurance

Certified by people who audit for a living.

Our own word is not enough, and we know it. These are the standards we hold ourselves to and the outside reviews that check we actually do. We share reports with partners under NDA.

Assessed

PCI DSS v4.0.1

Payment Card Industry Data Security Standard

Card handling is assessed against the current v4.0.1 standard, with a scoped cardholder data environment and yearly re-validation.

Attestation of compliance
In progress

SOC 2 Type II

Trust Services Criteria, Type II

An independent auditor is testing our security, availability, and confidentiality controls across an observation window. The Type II report lands this year.

Request the report
Planned

ISO 27001

Information Security Management System

An ISO 27001 management system is on the roadmap. We are lining up the controls now, and the external certification audit sits in a later phase.

See the roadmap
Penetration testing
Independent testers probe the platform on a regular cycle
Vendor review
Sub-processors are vetted before they touch any data
Incident response
A written plan, an on-call rotation, and rehearsed drills
Responsible disclosure

Found a bug?
We want to hear it.

Good security researchers make us better, so we treat them as partners, not threats. Report a real issue in good faith and we will confirm we got it fast, keep you posted while we fix it, and credit you if you want the credit. Test against your own accounts, avoid data that is not yours, and give us a reasonable window before you go public.

[email protected] PGP key on file. We aim to acknowledge every report within one business day.
How a report movesGood faith
1
You send it in

Email [email protected] with steps to reproduce and the impact you see. Encrypt it with our PGP key if you like.

2
We acknowledge

You hear back within one business day that a real person has the report and is looking into it.

3
We triage and fix

We confirm the issue, rank the severity, and work a fix. You get status updates the whole way through.

4
We close it out

Once it is patched and verified, we let you know, and we credit you publicly if you want the recognition.

Ground rules
Test on your own accountsUse sandbox and data you own or control
Report promptly and privatelyTell us first, and give us a fair window
No accessing other people dataStop the moment you can prove impact
No denial of serviceDo not degrade the service for real users

Build on a base you can trust.

Start with tokenized cards, encryption, and passkeys on day one. No extra setup, no extra fee.