Security & Compliance

Built for regulated financial institutions.

Mintstone is designed from the ground up for UK development finance lenders operating under PRA oversight. Here's everything you need for vendor due diligence.

πŸ›οΈ

FCA Regulatory Sandbox: Application in Progress

Mintstone has applied to the FCA's Regulatory Sandbox, which provides supervised testing for firms developing innovative products that address genuine regulatory needs. Our application covers ADC loan monitoring under PS 1/26 and UK CRR requirements.

FCA Regulatory Sandbox Β· Financial Conduct Authority Β· 12 Endeavour Square, London E20 1JN

Compliance status
Our current security & compliance posture
Updated April 2026. We are transparent about what is in place today and what is on our roadmap.

UK GDPR / DPA 2018

Live

DPA in place with all sub-processors. Privacy policy published. Data subject rights procedures implemented.

FCA Regulatory Sandbox

Applied

Application submitted to the FCA Regulatory Sandbox. Covers ADC loan monitoring under PS 1/26 and UK CRR.

Cyber Essentials (UK)

In Progress

Application in progress. Controls are aligned with Cyber Essentials requirements.

ISO 27001

In Progress

Controls aligned with ISO 27001 Annex A. Formal certification on our roadmap.

SOC 2 Type II

Planned

On our roadmap as customer base scales. Available on request for Enterprise customers.

AI Sub-processor DPAs

Live

Data Processing Agreements in place with OpenAI and Anthropic covering GDPR-compliant AI usage and data handling obligations.

Penetration Testing

In Progress

Third-party penetration test planned prior to Enterprise customer onboarding.

Legal & policy documents
Everything you need for vendor onboarding
Standard legal documents are available below. Enterprise customers receive an executed MSA and DPA; contact us to initiate.
πŸ“‹

Terms of Service

Governs all use of the Mintstone platform, including user obligations, IP, liability limitations, and acceptable use.

View Terms β†’
πŸ”’

Privacy Policy

How Mintstone collects, uses, stores, and protects personal data in accordance with UK GDPR and DPA 2018.

View Privacy Policy β†’
πŸ“„

Data Processing Agreement

Article 28 UK GDPR compliant DPA. Covers sub-processor list, security measures, breach notification, and data subject rights.

View DPA β†’
Executed version available on request for customers
🀝

Master Services Agreement

Enterprise contract template covering service scope, SLAs, IP ownership, confidentiality, liability, and termination.

View MSA Template β†’
Executed version provided at contract stage
πŸ›‘οΈ

Information Security Policy

Mintstone's security controls: encryption, access controls, vulnerability management, incident response, and infrastructure security.

View Security Policy β†’
βš™οΈ

Business Continuity Policy

RTO/RPO targets, backup procedures, disaster recovery scenarios, and incident severity classification.

View BCP β†’
πŸ—“οΈ

Data Retention & Erasure Schedule

How long each category of personal data is retained, the legal basis, and deletion methods. Covers all ROPA processing activities.

View Retention Schedule β†’
βš–οΈ

Legitimate Interests Assessments

ICO three-part test (purpose, necessity, balancing) for all processing activities relying on Article 6(1)(f) lawful basis.

View LIAs β†’
πŸ“‹

Data Protection Impact Assessments

Article 35 DPIAs for Open Banking transaction processing and AI document analysis. Completed before first customer data processed.

View DPIAs β†’
Security controls
How we protect your data
Key technical and organisational measures in place today.
πŸ”

Encryption everywhere

TLS 1.2+ in transit. AES-256 at rest across database (AWS RDS) and file storage (AWS S3, eu-west-2).

🏒

Tenant isolation

All data scoped by organisation ID at the database layer. Cross-tenant access is architecturally prevented.

πŸ”‘

Access controls

Role-based access (RBAC), MFA enforced for admin access, least-privilege principles throughout.

πŸ“

UK data residency

Primary infrastructure in AWS eu-west-2 (London). Data does not leave the UK/EEA without contractual safeguards.

⚑

Rate limiting & CSRF protection

All API endpoints protected against abuse, brute force, and cross-site request forgery.

πŸ“‹

Audit logging

All significant user actions logged with timestamps. Infrastructure logs retained for a minimum of 90 days.

Sub-processors
Third-party services we use
Full details including transfer mechanisms are in the DPA Schedule 3. Key sub-processors are listed below.
Provider Service Location
Amazon Web Services Cloud infrastructure, database, file storage πŸ‡¬πŸ‡§ UK (eu-west-2, London)
Vercel Application hosting, edge compute πŸ‡ΊπŸ‡Έ USA (EU edge nodes available)
TrueLayer Open banking, bank connection and transaction data πŸ‡¬πŸ‡§ UK (FCA regulated)
OpenAI AI document analysis (zero data retention API) Β· DPA in place πŸ‡ΊπŸ‡Έ USA (SCCs in place)
Anthropic AI analysis tasks Β· DPA in place πŸ‡ΊπŸ‡Έ USA (SCCs in place)
PropertyData Property market data πŸ‡¬πŸ‡§ UK

Regulatory status: Mintstone Ltd (Company No. 17105543) is not authorised or regulated by the Financial Conduct Authority or Prudential Regulation Authority. Mintstone provides software tools to FCA/PRA-regulated firms. All regulatory capital calculations, risk-weighted asset determinations, and submissions to the PRA remain the sole responsibility of the regulated firm. Mintstone has applied to the FCA Regulatory Sandbox; that application is currently in progress.

Get in touch
Due diligence & compliance enquiries
For vendor due diligence packs, executed DPA/MSA requests, or security questionnaires.

All enquiries

contact@mintstone.co.uk

DPA, MSA, vendor questionnaires, security incidents, product questions