Skip to content

Trust & Security

Your data, protected with care

Enterprise-grade security architecture, TCSP Licensee status, and PDPO-compliant workflows — every layer watches your back.

Security standards we use

TCSP · Licensee
TLS 1.3 · Encrypted
AES-256 · At rest
Cloudflare · WAF + DDoS
PDPO · Compliant
Stripe · PCI DSS

Six Pillars of Security

TLS 1.3 in transit

All site traffic uses the latest transport-layer encryption; man-in-the-middle interception has no foothold.

AES-256 at rest

Personal data and identity verification documents are stored on Supabase (Singapore) with military-grade AES-256 encryption.

Strict access control (RLS)

Row-Level Security ensures clients see only their own data; staff access requires explicit authorization.

Cloudflare protection

WAF firewall + DDoS mitigation + Bot management across 300+ global edge nodes fend off hostile traffic.

Multi-factor authentication

Client portal supports TOTP two-factor authentication; sensitive actions (identity verification, signing) require verification.

Daily encrypted backups

Data is backed up daily to Cloudflare R2, GPG AES-256 encrypted, with 60-day retention for disaster recovery.

Compliance Framework

TCSP — TCSP Licensee

Licensed by the Hong Kong Companies Registry as a Trust and Company Service Provider, subject to AMLO Cap.615 anti-money-laundering obligations. We operate to TCSP standards — customer due diligence (CDD), ongoing monitoring, and record keeping.

PDPO DPP1-6

Full adherence to the six Data Protection Principles under the Personal Data (Privacy) Ordinance (Cap.486) — collection, accuracy, retention, use, security, transparency, and access rights.

AMLO KYC/CDD

Customer Due Diligence and ongoing monitoring per the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (Cap.615); all clients are identity-verified via IDV.

ISO 27001 in progress

Targeting 2026 H2 kickoff of ISO/IEC 27001:2022 Information Security Management System certification — aiming for internationally recognized security credentials.

Your data rights

Under the PDPO, you have the following rights:

  • Right of access

    Request a copy of personal data we hold about you; we respond within 40 days.

  • Right of correction

    Request correction of inaccurate data.

  • Right of erasure

    After identity verification, we delete your data within 30 working days (except legally retained records).

  • Right to portability

    Receive your data in a portable, commonly used format.

  • Withdraw consent

    Withdraw consent at any time — cookies, marketing email, AI chatbot, etc.

Read the full Privacy Policy · Terms of Service

Security incident reporting

Spotted a vulnerability, lost account access, or suspect a data breach? Contact our security team immediately. We commit to an initial response within 24 hours and will notify the PCPD (Office of the Privacy Commissioner for Personal Data) within 5 working days if personal data is involved.

Send a security report
Final Step

Ready to start your company?

Incorporated in as few as 3 days · Zero risk throughout · 30-day money-back guarantee

Get Started
TCSP Licensee HK Registered Accountant Stripe encrypted payments