Skip to content
Platform Use Cases
Community Lenders Fintech Lenders CDFIs
Docs Compliance Blog
Request Access
Data Security

Financial data handled with bank-grade controls

Encryption in transit and at rest. API key + IP allowlist + webhook signing access controls. Data minimization by design — we process transaction metadata, not raw consumer PII beyond what lenders provide.

Request Security Review Privacy Policy
Security Controls

Built with enterprise security controls

Lendiro's infrastructure security is designed to meet the expectations of regulated financial institutions. We describe controls as implemented — we make no certification claims.

Encryption in transit & at rest

All API traffic requires TLS 1.3+. TLS 1.0 and 1.1 are disabled. Transaction data and decision records are encrypted at rest using AES-256.

Technical details TLS 1.3 minimum on all endpoints. HSTS enforced. AES-256-GCM for stored data. Key management with automated rotation policy.

Access control architecture

API key authentication with scoped permissions. IP allowlist per API key for production environments. Webhook delivery signed with HMAC-SHA256 for payload verification.

Key rotation API keys can be rotated via the API with configurable overlap window. Lendiro team cannot access your API keys after provisioning.

Data minimization by design

Lendiro processes transaction metadata (date, amount, category, recurrence flag) — not raw consumer PII. Name, SSN, and address are never required by the decisioning API.

What we store Decision records (score, codes, signals) tied to the lender-provided applicant_ref. The lender controls what applicant_ref maps to in their own system.
Data Handling Policy

What data we process, how long we keep it

Transaction data processing

Lendiro processes bank transaction data submitted via API request. Transaction records are processed in memory to extract signal features — the raw transaction payload is not persisted beyond the active request session unless lender explicitly opts into transaction storage for audit purposes.

Decision records (output fields: score, signals, reason codes, timestamp, model version) are stored per decision ID in your account and are available for retrieval indefinitely within the terms of service.

Retention and deletion

Transaction payloads: processed and discarded within the request cycle unless transaction storage is opted into. Decision records: retained until account closure or explicit deletion request. Deletion requests processed within 30 days.

See our Privacy Policy for complete data handling terms. API key rotation is available at any time through the API.

Data classification

Data TypeClassificationRetention
Transaction payloadsTransient processingRequest cycle only
Decision recordsAccount dataUntil account close
API keys (hashed)CredentialUntil rotated
Audit logsOperational90 days rolling
Access logsSecurity90 days rolling

Review our security documentation

Security questionnaires and vendor review documentation available on request. Talk to the team if your organization has specific security requirements for API vendors.

Contact Us

Email: [email protected]