See The Greens LOS

Trust center · Security

Security & compliance

For: Chief Compliance Officer, Risk, Internal Audit, Information Security, Vendor Management, and legal counsel conducting vendor diligence.

Not for: ClawQL MCP or Kubernetes hardening — request the ClawQL security package separately under NDA.

Summary

See The Greens is built for regulated lending. Security and compliance controls are part of the baseline product, not a paid add-on.

Control areaSummary
AccessRole-based access; least privilege for processors, underwriters, admins, and integrations
Data protectionEncryption in transit and at rest; tenant isolation in multi-tenant deployments
AuditTamper-evident activity records for document touches, system recommendations, and human decisions
Human oversightLicensed staff retain credit and underwriting authority; AI pre-processes and suggests
Compliance supportConfigurable rules for TRID, RESPA, ATR/QM, and investor overlays — continuous checks, not only post-close QC

Who should read which section

Your roleStart here
Compliance / LegalRegulatory alignment, Audit & exam support
InfoSec / Vendor riskData handling, Identity & access, Infrastructure
Internal audit / QCAudit and exam support, Human-in-the-loop
Production / OpsHuman-in-the-loop — day-to-day gates and overrides

Data handling

What data the system processes

  • Loan and borrower metadata you provide (loan number, milestone, program, investor)
  • Documents uploaded to the loan file (PDF, images, common office formats)
  • Extracted fields derived from those documents (amounts, dates, employer names, etc.)
  • Activity records (who uploaded, what the system recommended, what a human accepted or changed)

See The Greens does not require you to send data to a public LLM for core document validation. Extraction and validation run in your contracted deployment boundary.

Sensitive data

  • PII and NPI handled according to your policies and applicable law (GLBA, state privacy rules, etc.)
  • Redaction can run before long-term storage when your overlay requires it
  • Retention periods are configurable to match your records management policy

Encryption

StateStandard
In transitTLS 1.2+ for all client and API connections
At restIndustry-standard encryption for databases and object storage

Vendor agreements

Data Processing Agreement (DPA) available for lenders handling NPI under GLBA — request via security@seethegreens.com. Business Associate Agreements (BAA) available where applicable for partners with HIPAA obligations.

Data residency

Dedicated and self-hosted options support US-only or customer-specified region requirements. Confirm residency in your order form and DPA.

Identity and access

Role-based access control (RBAC)

Typical roleAccess pattern
ProcessorAssigned loans; upload docs; clear conditions; no system config
UnderwriterRead file + extractions; decision authority per your policy
Admin / OpsConfigure rules, overlays, integrations
Integration service accountScoped API keys — read and/or write per integration
Auditor (read-only)Export activity and document history; no production changes

Separation of duties: configuration changes can require admin roles distinct from day-to-day processing.

Authentication

  • SSO / SAML / OIDC for enterprise identity providers
  • MFA enforced when your IdP requires it
  • API credentials rotated on a schedule you define; keys not shared across environments

Human-in-the-loop

See The Greens is not an autonomous underwriting engine.

StepResponsibility
Document read & classifySystem — automated
Guideline checkSystem — automated against your rules
Low-confidence extractionHuman — processor validates in review queue
Credit / UW decisionHuman — licensed staff only
Condition clearedHuman — processor / UW confirms; system tracks

When AI confidence falls below your threshold, the loan does not silently proceed.

Audit and exam support

What gets recorded

  • Timestamp and actor (user or integration)
  • System recommendation (e.g. "create LOX for $48,500 deposit")
  • Human action (accepted, modified, rejected)
  • Rule or overlay version that fired (when applicable)

Records are designed to be tamper-evident — suitable for investor repurchase defense, internal QC, and regulatory exam prep.

QC starts at intake

Defects surface when documents arrive — exam questions like "show me how this LOX was triggered" map to a single trace.

Regulatory alignment

AreaHow the product helps
TRID / RESPAEvent-driven disclosure and CoC rules tied to loan milestones
ATR/QMDocument completeness checks at intake — configurable to your ATR policy
Investor / GSE overlaysSeparate rule packs per investor; same engine, different thresholds
Fair lendingHuman decisions logged; automated steps rule-based and versioned
Records retentionConfigurable retention and export for your records management

Important: Final compliance determination remains with your institution.

Infrastructure and operations

Enterprise SIEM integration: security events from See The Greens can be forwarded to your SIEM — Splunk, Datadog, or any webhook-compatible collector — so your InfoSec team monitors vendor activity alongside internal systems.

PracticePurpose
Container image securityImages scanned for CVEs with SBOM generation; cryptographically signed before every deployment — unverified images are rejected at admission
Signed artifactsDeployments reject unverified container images; production digests tie back to CI-scanned, Cosign-signed releases
Secrets managementIntegration tokens stored in vault-backed secrets
Network isolationProduction environments segmented from development
SIEM forwardingSecurity events streamed to your SIEM or webhook endpoint — optional, configured per deployment

Certifications and diligence

Certification status — updated honestly. We do not claim certifications on this site until finalized. Request current status under NDA.

TopicStatus
SOC 2 Type IIIn progress — summary available under NDA
Penetration testingAnnual third-party test — summary available under NDA
QuestionnairesSIG Lite, CAIQ, or custom VRM forms supported

Contact: security@seethegreens.com

Security FAQ

What happens if AI gets it wrong?+

When extraction confidence falls below your threshold, the loan routes to a human review queue before proceeding. AI recommendations are logged alongside human decisions so you can audit every override — suitable for exam prep and repurchase defense.

Does AI make underwriting decisions?+

No. AI extracts, classifies, and checks documents against your rules. Credit and underwriting decisions stay with licensed staff.

Can we audit what the system recommended vs what a processor did?+

Yes. That comparison is a first-class part of the activity record.

Where is data stored?+

In the deployment model you contract for (multi-tenant managed, dedicated VPC, or self-hosted).

Is a DPA available?+

Yes. Data Processing Agreements are available for GLBA-covered lenders. Contact security@seethegreens.com during vendor diligence.

Is the platform open source?+

The orchestration platform (ClawQL) is open source. See The Greens LOS is the lender product built on that platform.

Request a security diligence pack

Book a demo with your compliance and InfoSec stakeholders on the call.