Trust center · Security
Security & compliance
For: Chief Compliance Officer, Risk, Internal Audit, Information Security, Vendor Management, and legal counsel conducting vendor diligence.
Not for: ClawQL MCP or Kubernetes hardening — request the ClawQL security package separately under NDA.
Summary
See The Greens is built for regulated lending. Security and compliance controls are part of the baseline product, not a paid add-on.
| Control area | Summary |
|---|---|
| Access | Role-based access; least privilege for processors, underwriters, admins, and integrations |
| Data protection | Encryption in transit and at rest; tenant isolation in multi-tenant deployments |
| Audit | Tamper-evident activity records for document touches, system recommendations, and human decisions |
| Human oversight | Licensed staff retain credit and underwriting authority; AI pre-processes and suggests |
| Compliance support | Configurable rules for TRID, RESPA, ATR/QM, and investor overlays — continuous checks, not only post-close QC |
Who should read which section
| Your role | Start here |
|---|---|
| Compliance / Legal | Regulatory alignment, Audit & exam support |
| InfoSec / Vendor risk | Data handling, Identity & access, Infrastructure |
| Internal audit / QC | Audit and exam support, Human-in-the-loop |
| Production / Ops | Human-in-the-loop — day-to-day gates and overrides |
Data handling
What data the system processes
- Loan and borrower metadata you provide (loan number, milestone, program, investor)
- Documents uploaded to the loan file (PDF, images, common office formats)
- Extracted fields derived from those documents (amounts, dates, employer names, etc.)
- Activity records (who uploaded, what the system recommended, what a human accepted or changed)
See The Greens does not require you to send data to a public LLM for core document validation. Extraction and validation run in your contracted deployment boundary.
Sensitive data
- PII and NPI handled according to your policies and applicable law (GLBA, state privacy rules, etc.)
- Redaction can run before long-term storage when your overlay requires it
- Retention periods are configurable to match your records management policy
Encryption
| State | Standard |
|---|---|
| In transit | TLS 1.2+ for all client and API connections |
| At rest | Industry-standard encryption for databases and object storage |
Vendor agreements
Data Processing Agreement (DPA) available for lenders handling NPI under GLBA — request via security@seethegreens.com. Business Associate Agreements (BAA) available where applicable for partners with HIPAA obligations.
Data residency
Dedicated and self-hosted options support US-only or customer-specified region requirements. Confirm residency in your order form and DPA.
Identity and access
Role-based access control (RBAC)
| Typical role | Access pattern |
|---|---|
| Processor | Assigned loans; upload docs; clear conditions; no system config |
| Underwriter | Read file + extractions; decision authority per your policy |
| Admin / Ops | Configure rules, overlays, integrations |
| Integration service account | Scoped API keys — read and/or write per integration |
| Auditor (read-only) | Export activity and document history; no production changes |
Separation of duties: configuration changes can require admin roles distinct from day-to-day processing.
Authentication
- SSO / SAML / OIDC for enterprise identity providers
- MFA enforced when your IdP requires it
- API credentials rotated on a schedule you define; keys not shared across environments
Human-in-the-loop
See The Greens is not an autonomous underwriting engine.
| Step | Responsibility |
|---|---|
| Document read & classify | System — automated |
| Guideline check | System — automated against your rules |
| Low-confidence extraction | Human — processor validates in review queue |
| Credit / UW decision | Human — licensed staff only |
| Condition cleared | Human — processor / UW confirms; system tracks |
When AI confidence falls below your threshold, the loan does not silently proceed.
Audit and exam support
What gets recorded
- Timestamp and actor (user or integration)
- System recommendation (e.g. "create LOX for $48,500 deposit")
- Human action (accepted, modified, rejected)
- Rule or overlay version that fired (when applicable)
Records are designed to be tamper-evident — suitable for investor repurchase defense, internal QC, and regulatory exam prep.
QC starts at intake
Defects surface when documents arrive — exam questions like "show me how this LOX was triggered" map to a single trace.
Regulatory alignment
| Area | How the product helps |
|---|---|
| TRID / RESPA | Event-driven disclosure and CoC rules tied to loan milestones |
| ATR/QM | Document completeness checks at intake — configurable to your ATR policy |
| Investor / GSE overlays | Separate rule packs per investor; same engine, different thresholds |
| Fair lending | Human decisions logged; automated steps rule-based and versioned |
| Records retention | Configurable retention and export for your records management |
Important: Final compliance determination remains with your institution.
Infrastructure and operations
Enterprise SIEM integration: security events from See The Greens can be forwarded to your SIEM — Splunk, Datadog, or any webhook-compatible collector — so your InfoSec team monitors vendor activity alongside internal systems.
| Practice | Purpose |
|---|---|
| Container image security | Images scanned for CVEs with SBOM generation; cryptographically signed before every deployment — unverified images are rejected at admission |
| Signed artifacts | Deployments reject unverified container images; production digests tie back to CI-scanned, Cosign-signed releases |
| Secrets management | Integration tokens stored in vault-backed secrets |
| Network isolation | Production environments segmented from development |
| SIEM forwarding | Security events streamed to your SIEM or webhook endpoint — optional, configured per deployment |
Certifications and diligence
Certification status — updated honestly. We do not claim certifications on this site until finalized. Request current status under NDA.
| Topic | Status |
|---|---|
| SOC 2 Type II | In progress — summary available under NDA |
| Penetration testing | Annual third-party test — summary available under NDA |
| Questionnaires | SIG Lite, CAIQ, or custom VRM forms supported |
Contact: security@seethegreens.com
Security FAQ
What happens if AI gets it wrong?
When extraction confidence falls below your threshold, the loan routes to a human review queue before proceeding. AI recommendations are logged alongside human decisions so you can audit every override — suitable for exam prep and repurchase defense.
Does AI make underwriting decisions?
No. AI extracts, classifies, and checks documents against your rules. Credit and underwriting decisions stay with licensed staff.
Can we audit what the system recommended vs what a processor did?
Yes. That comparison is a first-class part of the activity record.
Where is data stored?
In the deployment model you contract for (multi-tenant managed, dedicated VPC, or self-hosted).
Is a DPA available?
Yes. Data Processing Agreements are available for GLBA-covered lenders. Contact security@seethegreens.com during vendor diligence.
Is the platform open source?
The orchestration platform (ClawQL) is open source. See The Greens LOS is the lender product built on that platform.
Request a security diligence pack
Book a demo with your compliance and InfoSec stakeholders on the call.