Last updated: April 2026

Platform Security

How OilFlow protects your data, your deals, and your compliance posture.

Standards & Certifications

SOC 2 Type I

Self-assessed

Management assertion — infrastructure providers independently certified

PCI DSS Level 1

Via Stripe

OilFlow never stores or processes card data

GDPR

Compliant

Data handling & privacy controls

CCPA

Compliant

California privacy rights

Kenya DPA 2019

Compliant

East Africa operations

AML / KYC

Enforced

7-step verification pipeline

OFAC / UN / EU / UK

Active screening

All members & directors

Infrastructure

Single database, single location — hosted on Supabase (AWS), which holds independent SOC 2 Type II certification

PGP symmetric encryption on sensitive fields (email, payment IDs, beneficial owners)

TLS 1.2+ on every connection — HSTS enforced with 1-year policy

Stateless application layer — processes requests, stores nothing

Row-level security — database-enforced access isolation per member

Browser→ TLS →App (stateless)→ TLS →Database (encrypted)

Access Control

Row-level security policies on all database tables

Server-side session verification on every request

Deal room isolation — party membership verified before access

Append-only audit trail with operator ID and timestamp

Security headers: CSP, X-Frame-Options DENY, HSTS, strict-origin referrer

Verification Pipeline

Every member passes all 7 steps. No exceptions.

Sanctions Screening — OFAC SDN, UN, EU, UK lists. Any match = automatic rejection. Non-overridable.

Company Registration — Legal entity confirmed via country-specific registries (SECP, DMCC, EPRA, etc.).

Regulatory License — Country-specific petroleum licenses verified (OGRA, EPRA, EWURA, etc.).

Asset Confirmation — Physical assets verified through independent sources.

Trade References — Two independent references contacted and verified.

Digital Footprint — Website, LinkedIn, and news presence evaluated.

Scam Screening — LOI/ICPO/DLC MT700 pattern detection. Blocklist matching.

Re-screened every 90 days. Any new flag triggers immediate suspension.

Data Handling & AI

Zero retention by AI provider — processed in memory, then discarded

Never used for model training — contractual guarantee via API terms

We share (when required)

Company name with matched counterparties — after both verified

Names with sanctions screening — legal requirement

Billing info with Stripe — PCI DSS Level 1

Anonymized trade specs with AI — no identifiers

We never

Sell or license your data

Share data with competitors

Let AI train on your data

Trade against your deal information

Reveal company details before you confirm interest

Third-Party Processors

Service	Purpose	Compliance
Supabase	Database & auth	SOC 2 Type II
Stripe	Payments	PCI DSS Level 1
Anthropic	AI services	Zero retention
Resend	Transactional email	DPA available
OpenSanctions	Sanctions screening	EU-based

Zero advertising cookies. Zero tracking pixels. Zero analytics scripts.

Incident Response

72-hour breach notification

Per GDPR Article 33. Affected members notified within 72 hours of confirmed breach.

Responsible disclosure

Report vulnerabilities to security@oilflow.us

Review cadence

Internal security reviews conducted as needed.

Your Controls

Export Your Data

Download everything we hold about you as a structured file.

Download →

Delete Your Account

Removed within 24 hours. Compliance records retained per law.

privacy@oilflow.us

Data Access Log

See every access — which system, what purpose, when.

View log →