Security

Built for financial data, designed for trust.

Mainstreetspine handles ACH transactions, RTP settlements, sub-ledger entries, and KYB business identity data. The security architecture here reflects what banking infrastructure actually requires — not a SaaS security checkbox page.

TLS 1.3 All data in transit
AES-256 Encryption at rest
US-only Data residency
BSA/AML Compliance program

Compliance framework

Regulatory compliance is our responsibility, not yours.

As the BaaS infrastructure provider, Mainstreetspine maintains the regulatory compliance layer on behalf of our platform partners. You integrate our API; we manage the program. We're not a bank — we're a BaaS aggregator operating through a bank partner, which means our BSA/AML program, Reg E obligations, and NACHA originator responsibilities sit with us, not with your engineering team.

BSA/AML Program

Mainstreetspine maintains a Bank Secrecy Act / Anti-Money Laundering compliance program designed with our banking partner. Transaction monitoring, SAR filing procedures, and OFAC screening are all managed at the infrastructure layer.

KYB Verification

Know-Your-Business checks run on every business entity onboarded through our platform. Beneficial owner verification, EIN validation, and state registration checks included. KYB outcome webhook events delivered in real time.

NACHA Rules Compliance

All ACH transactions processed through Mainstreetspine comply with NACHA Operating Rules. Return rate monitoring, proper SEC code usage, and same-day ACH eligibility rules are enforced at the API layer before submission.

Reg E Dispute Handling

Regulation E error resolution procedures apply to consumer transactions processed through our rails. Mainstreetspine provides the dispute intake workflow and investigation support as part of the Growth and Scale tiers.

Data residency

All data stored and processed in the United States.

Financial transaction data, virtual account records, sub-ledger entries, and KYB information are stored exclusively in US-based cloud infrastructure. No data is transferred to non-US servers.

Our infrastructure is hosted on AWS us-east-1 (Virginia) with backup to us-west-2 (Oregon). Database encryption at rest using AES-256. All inter-service communication encrypted in transit with TLS 1.3 minimum.

Platform partner data and SMB entity data are logically isolated at the database layer. No cross-platform data sharing occurs.

Data handling summary

Data residency US only
Encryption at rest AES-256
Encryption in transit TLS 1.3
Platform data isolation Logical + physical
Data retention 7 years (regulatory)

Access controls

Least-privilege by design.

API access uses scoped bearer tokens. No single credential can access all platform data or initiate all transaction types.

API Token Scope Permitted Actions Restricted From
read:accounts List and retrieve virtual account details, balances, transaction history Initiate payments, modify account settings
write:payments Initiate ACH, RTP, FedNow transfers from authorized accounts Create new virtual accounts, access ledger admin
read:ledger Query sub-ledger entries, export reconciliation data Create journal entries, initiate adjustments
write:kyb Submit KYB verification requests for business entities Override KYB decisions, access raw verification data
admin Full platform management, webhook configuration, key rotation Cross-platform access, banking partner infrastructure

Audit trail

Every action logged. Every transaction traceable.

Every API call, payment initiation, KYB status change, and ledger entry generates an immutable audit event. Audit logs are retained for 7 years per financial regulatory requirements.

  • Immutable audit log with timestamp and requesting API credential
  • Full request/response capture for payment transactions
  • KYB decision audit trail including verification source data
  • Sub-ledger journal entry provenance — every debit/credit sourced to API event
  • Webhook delivery log with retry history and final disposition

Audit data is accessible to platform partners via the partner portal and bulk export APIs. Use it for your own compliance audits, reconciliation, or customer dispute investigation.

Retention schedule

Payment records: 7 years
KYB records: 5 years after account closure
API access logs: 2 years
Webhook delivery logs: 90 days

Security questions before you integrate?

We'll walk through our BSA/AML program, data residency details, API token scoping, and audit log access in a technical call. Contact Brett or Devon at [email protected].

Contact the Team