Security & Compliance

Built for regulated financial institutions.

Mintstone is designed from the ground up for UK development finance lenders operating under PRA oversight. Here's everything you need for vendor due diligence.

Compliance status

Our current security & compliance posture

Updated April 2026. We are transparent about what is in place today and what is on our roadmap.

UK GDPR / DPA 2018

Live

DPA in place with all sub-processors. Privacy policy published. Data subject rights procedures implemented.

Cyber Essentials (UK)

In Progress

Application in progress. Controls are aligned with Cyber Essentials requirements.

ISO 27001

In Progress

Controls aligned with ISO 27001 Annex A. Formal certification on our roadmap.

SOC 2 Type II

Planned

On our roadmap as customer base scales. Available on request for Enterprise customers.

AI Sub-processor DPAs

Live

Data Processing Agreements in place with OpenAI and Anthropic covering GDPR-compliant AI usage and data handling obligations.

Penetration Testing

Planned

Independent third-party penetration test planned prior to enterprise customer onboarding. Not yet conducted.

Legal & policy documents

Everything you need for vendor onboarding

Standard legal documents are available below. Enterprise customers receive an executed MSA and DPA; contact us to initiate.

Terms of Service

Governs all use of the Mintstone platform, including user obligations, IP, liability limitations, and acceptable use.

View Terms

Privacy Policy

How Mintstone collects, uses, stores, and protects personal data in accordance with UK GDPR and DPA 2018.

View Privacy Policy

Data Processing Agreement

Article 28 UK GDPR compliant DPA. Covers sub-processor list, security measures, breach notification, and data subject rights.

View DPA

Executed version available on request for customers

Master Services Agreement

Enterprise contract template covering service scope, SLAs, IP ownership, confidentiality, liability, and termination.

View MSA Template

Executed version provided at contract stage

Information Security Policy

Mintstone's security controls: encryption, access controls, vulnerability management, incident response, and infrastructure security.

View Security Policy

Business Continuity Policy

RTO/RPO targets, backup procedures, disaster recovery scenarios, and incident severity classification.

View BCP

Data Retention & Erasure Schedule

How long each category of personal data is retained, the legal basis, and deletion methods. Covers all ROPA processing activities.

View Retention Schedule

Legitimate Interests Assessments

ICO three-part test (purpose, necessity, balancing) for all processing activities relying on Article 6(1)(f) lawful basis.

View LIAs

Data Protection Impact Assessments

Article 35 DPIAs for Open Banking transaction processing and AI document analysis. Completed before first customer data processed.

View DPIAs
Security controls

How we protect your data

Key technical and organisational measures in place today.

Encryption everywhere

TLS 1.2+ in transit. AES-256 at rest across database (AWS RDS) and file storage (AWS S3, eu-west-2).

Tenant isolation

All data scoped by organisation ID at the database layer. Cross-tenant access is architecturally prevented.

Access controls

Role-based access (RBAC), MFA enforced for admin access, least-privilege principles throughout.

UK data residency

Primary infrastructure in AWS eu-west-2 (London). Data does not leave the UK/EEA without contractual safeguards.

Rate limiting & CSRF protection

All API endpoints protected against abuse, brute force, and cross-site request forgery.

Audit logging

All significant user actions logged with timestamps. Infrastructure logs retained for a minimum of 90 days.

Sub-processors

Third-party services we use

Full details including transfer mechanisms are in the DPA Schedule 3. Key sub-processors are listed below.

ProviderServiceLocation
Amazon Web ServicesCloud infrastructure, database, file storage馃嚞馃嚙 UK (eu-west-2, London)
VercelApplication hosting, edge compute馃嚭馃嚫 USA (EU edge nodes available)
TrueLayerOpen banking, bank connection and transaction data馃嚞馃嚙 UK (FCA regulated)
OpenAIAI document analysis (zero data retention API) 路 DPA in place馃嚭馃嚫 USA (SCCs in place)
AnthropicAI analysis tasks 路 DPA in place馃嚭馃嚫 USA (SCCs in place)
PropertyDataProperty market data馃嚞馃嚙 UK
Regulatory status

Software provider, not a regulated firm

A clear statement of what Mintstone is, and is not, for your compliance and procurement teams.

Mintstone Ltd (Company No. 17105543) is not authorised or regulated by the Financial Conduct Authority or Prudential Regulation Authority. Mintstone provides software tools to FCA/PRA-regulated lenders.

All risk weight classifications, covenant assessments, regulatory capital calculations, and submissions to the PRA remain the sole responsibility of the lender's credit and risk functions. Mintstone surfaces evidence and calculations for review; the regulated firm makes and owns every regulatory decision.

Open banking data is accessed via TrueLayer, an FCA-authorised Account Information Service Provider (AISP), under TrueLayer's permission and consent framework.

Get in touch

Due diligence & compliance enquiries

For vendor due diligence packs, executed DPA/MSA requests, or security questionnaires.

All enquiries
contact@mintstone.co.uk

DPA, MSA, vendor questionnaires, security incidents, product questions