Security Architecture

Security, Isolation, and Verifiable Evidence

Settler is designed so that every reconciliation run produces evidence you can verify, every action leaves a traceable record, and your data stays in your infrastructure.

Read the Quickstart Browse Docs

Security Architecture

Tenant Isolation

All data is hard-partitioned by tenant at the database, API, and runtime layer. No shared state, no cross-tenant data leakage.

Row-level security in PostgreSQL
API keys scoped to tenant context
Runtime isolation enforced server-side

Immutable Audit Trails

Every action, every reconciliation run, and every mismatch review is logged with tamper-evident records. Logs cannot be modified after creation.

Append-only audit log schema
Actor + timestamp + payload on every event
Exportable for compliance ingestion

Cryptographic Evidence

Reconciliation runs produce SHA-256 hash chains over the evidence payload. Any post-run modification to results is immediately detectable.

SHA-256 per-run evidence hashes
Hash chain links sequential runs
Verifiable without re-running

Human-in-the-Loop Review

Settler does not make autonomous financial decisions. Every flagged mismatch requires explicit human review and resolution before closing.

Manual override with documented reason
Role-based review permissions
Full review history retained

Access Controls

Role-based access control with principle of least privilege. Workspace admins control who can read, approve, and export reconciliation data.

Owner / Admin / Reviewer / Viewer roles
Workspace-scoped API keys
SSO / OAuth via standard providers

Self-Hostable

Deploy Settler inside your own infrastructure. Your financial data never transits a Settler-managed network unless you opt into the managed cloud.

Docker Compose and Kubernetes targets
No telemetry by default in self-hosted mode
Apache 2.0 license — inspect and audit the source

Compliance Readiness

Settler is not a compliance certification. It is infrastructure that makes compliance evidence collection tractable. The following properties are structural — not add-ons.

Audit-trail export compatible with SOC 2 evidence collection
Data residency controls for GDPR and regional requirements
Configurable retention policies for reconciliation records
Role-separation between data access and configuration
Webhook delivery with signed payloads for downstream audit systems
No training data exfiltration — AI review layer is stateless per run

Responsible Disclosure

Found a security vulnerability? Please report it responsibly. We take all reports seriously and respond promptly.

Security Architecture

Security, Isolation, and Verifiable Evidence

Settler is designed so that every reconciliation run produces evidence you can verify, every action leaves a traceable record, and your data stays in your infrastructure.

Read the Quickstart Browse Docs

Security Architecture

Tenant Isolation

All data is hard-partitioned by tenant at the database, API, and runtime layer. No shared state, no cross-tenant data leakage.

Row-level security in PostgreSQL
API keys scoped to tenant context
Runtime isolation enforced server-side

Immutable Audit Trails

Every action, every reconciliation run, and every mismatch review is logged with tamper-evident records. Logs cannot be modified after creation.

Append-only audit log schema
Actor + timestamp + payload on every event
Exportable for compliance ingestion

Cryptographic Evidence

Reconciliation runs produce SHA-256 hash chains over the evidence payload. Any post-run modification to results is immediately detectable.

SHA-256 per-run evidence hashes
Hash chain links sequential runs
Verifiable without re-running

Human-in-the-Loop Review

Settler does not make autonomous financial decisions. Every flagged mismatch requires explicit human review and resolution before closing.

Manual override with documented reason
Role-based review permissions
Full review history retained

Access Controls

Role-based access control with principle of least privilege. Workspace admins control who can read, approve, and export reconciliation data.

Owner / Admin / Reviewer / Viewer roles
Workspace-scoped API keys
SSO / OAuth via standard providers

Self-Hostable

Deploy Settler inside your own infrastructure. Your financial data never transits a Settler-managed network unless you opt into the managed cloud.

Docker Compose and Kubernetes targets
No telemetry by default in self-hosted mode
Apache 2.0 license — inspect and audit the source

Compliance Readiness

Settler is not a compliance certification. It is infrastructure that makes compliance evidence collection tractable. The following properties are structural — not add-ons.

Audit-trail export compatible with SOC 2 evidence collection
Data residency controls for GDPR and regional requirements
Configurable retention policies for reconciliation records
Role-separation between data access and configuration
Webhook delivery with signed payloads for downstream audit systems
No training data exfiltration — AI review layer is stateless per run

Responsible Disclosure

Found a security vulnerability? Please report it responsibly. We take all reports seriously and respond promptly.