Deployment
Hosted on AWS in US regions; TLS 1.2+ in transit; each institution runs in an isolated environment with its own database and secrets.
Security
A summary for executives and vendor risk reviewers. The full security overview, control matrix, and policy set are available under NDA for qualified pilot institutions.
Data
CheckCheck retains only what your configured storage tier allows — by default, no account-holder NPI. Any sensitive fields you choose to retain are treated as GLBA Non-Public Personal Information and encrypted at rest at the field level.
Access
Role-based access, isolation between institutions, scoped API keys, and revocable sessions — with a traceable request ID on every call.
How we approach security
CheckCheck is built to support the vendor due-diligence process regulated institutions run before onboarding a service provider. Our materials are organized around the FFIEC IT Handbook's vendor-management expectations and the GLBA Safeguards Rule.
- Data minimization by default — new institutions retain no account-holder NPI; higher-retention tiers are opt-in, encrypted, and audited.
- Isolation by default — your records are never commingled with another institution's.
- Least privilege — access is scoped and audited, and audit records are append-only.
- Evidence on request — control matrix, system-boundary documentation, and an FFIEC/GLBA crosswalk, shared under NDA.