Built for regulated financial institutions.
Mintstone is designed from the ground up for UK development finance lenders operating under PRA oversight. Here's everything you need for vendor due diligence.
Our current security & compliance posture
Updated April 2026. We are transparent about what is in place today and what is on our roadmap.
UK GDPR / DPA 2018
LiveDPA in place with all sub-processors. Privacy policy published. Data subject rights procedures implemented.
Cyber Essentials (UK)
In ProgressApplication in progress. Controls are aligned with Cyber Essentials requirements.
ISO 27001
In ProgressControls aligned with ISO 27001 Annex A. Formal certification on our roadmap.
SOC 2 Type II
PlannedOn our roadmap as customer base scales. Available on request for Enterprise customers.
AI Sub-processor DPAs
LiveData Processing Agreements in place with OpenAI and Anthropic covering GDPR-compliant AI usage and data handling obligations.
Penetration Testing
PlannedIndependent third-party penetration test planned prior to enterprise customer onboarding. Not yet conducted.
Everything you need for vendor onboarding
Standard legal documents are available below. Enterprise customers receive an executed MSA and DPA; contact us to initiate.
Terms of Service
Governs all use of the Mintstone platform, including user obligations, IP, liability limitations, and acceptable use.
View TermsPrivacy Policy
How Mintstone collects, uses, stores, and protects personal data in accordance with UK GDPR and DPA 2018.
View Privacy PolicyData Processing Agreement
Article 28 UK GDPR compliant DPA. Covers sub-processor list, security measures, breach notification, and data subject rights.
View DPAExecuted version available on request for customers
Master Services Agreement
Enterprise contract template covering service scope, SLAs, IP ownership, confidentiality, liability, and termination.
View MSA TemplateExecuted version provided at contract stage
Information Security Policy
Mintstone's security controls: encryption, access controls, vulnerability management, incident response, and infrastructure security.
View Security PolicyBusiness Continuity Policy
RTO/RPO targets, backup procedures, disaster recovery scenarios, and incident severity classification.
View BCPData Retention & Erasure Schedule
How long each category of personal data is retained, the legal basis, and deletion methods. Covers all ROPA processing activities.
View Retention ScheduleLegitimate Interests Assessments
ICO three-part test (purpose, necessity, balancing) for all processing activities relying on Article 6(1)(f) lawful basis.
View LIAsData Protection Impact Assessments
Article 35 DPIAs for Open Banking transaction processing and AI document analysis. Completed before first customer data processed.
View DPIAsHow we protect your data
Key technical and organisational measures in place today.
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest across database (AWS RDS) and file storage (AWS S3, eu-west-2).
Tenant isolation
All data scoped by organisation ID at the database layer. Cross-tenant access is architecturally prevented.
Access controls
Role-based access (RBAC), MFA enforced for admin access, least-privilege principles throughout.
UK data residency
Primary infrastructure in AWS eu-west-2 (London). Data does not leave the UK/EEA without contractual safeguards.
Rate limiting & CSRF protection
All API endpoints protected against abuse, brute force, and cross-site request forgery.
Audit logging
All significant user actions logged with timestamps. Infrastructure logs retained for a minimum of 90 days.
Third-party services we use
Full details including transfer mechanisms are in the DPA Schedule 3. Key sub-processors are listed below.
| Provider | Service | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, database, file storage | 馃嚞馃嚙 UK (eu-west-2, London) |
| Vercel | Application hosting, edge compute | 馃嚭馃嚫 USA (EU edge nodes available) |
| TrueLayer | Open banking, bank connection and transaction data | 馃嚞馃嚙 UK (FCA regulated) |
| OpenAI | AI document analysis (zero data retention API) 路 DPA in place | 馃嚭馃嚫 USA (SCCs in place) |
| Anthropic | AI analysis tasks 路 DPA in place | 馃嚭馃嚫 USA (SCCs in place) |
| PropertyData | Property market data | 馃嚞馃嚙 UK |
Software provider, not a regulated firm
A clear statement of what Mintstone is, and is not, for your compliance and procurement teams.
Mintstone Ltd (Company No. 17105543) is not authorised or regulated by the Financial Conduct Authority or Prudential Regulation Authority. Mintstone provides software tools to FCA/PRA-regulated lenders.
All risk weight classifications, covenant assessments, regulatory capital calculations, and submissions to the PRA remain the sole responsibility of the lender's credit and risk functions. Mintstone surfaces evidence and calculations for review; the regulated firm makes and owns every regulatory decision.
Open banking data is accessed via TrueLayer, an FCA-authorised Account Information Service Provider (AISP), under TrueLayer's permission and consent framework.
Due diligence & compliance enquiries
For vendor due diligence packs, executed DPA/MSA requests, or security questionnaires.
DPA, MSA, vendor questionnaires, security incidents, product questions