Books your auditors will love. Controls your security team will sign off on.
NewLedger is built for finance teams that need to prove what happened, who did it, and that nothing else changed. Strong encryption, role-based access, and an immutable audit trail today — with SOC 2 Type II and ISO 27001 on the roadmap. We'd rather tell you exactly where we are than show a logo wall we haven't earned.
Six pillars that go all the way down.
Encryption everywhere
Data is encrypted in transit with TLS 1.3 and at rest with AES-256. Database backups are encrypted before they leave the region.
Least-privilege access
Role-based access control with optional SSO/SAML. Every action is scoped to the smallest permission needed to perform it.
Immutable audit trail
Every change to your ledger is captured with actor, timestamp, before/after values, and IP — reviewable by auditors without leaving the app.
Region-pinned data
Choose where your data lives. Default Singapore, with EU and US regions for customers with residency requirements.
Continuous backups
Point-in-time recovery up to 35 days. Daily snapshots replicated across availability zones with quarterly restore drills.
24/7 monitoring + response
Anomaly detection on auth events, change patterns, and infrastructure. On-call rotation for any P0 or P1 incident.
The posture behind the certifications.
Certificates are easy to claim — and we're not going to until they're earned. What we can show you today is the posture underneath: how the engineering, people, and process discipline actually work, every day.
Secure by default
- Mandatory code review on every change
- Static analysis + dependency vulnerability scanning in CI
- Production access through audited bastion only
- Secrets in HSM-backed vaults, never in code
Trained, vetted, scoped
- Background checks for every employee with production access
- Annual security and privacy training (mandatory)
- Quarterly access reviews — privilege expires by default
- Zero standing prod access — JIT elevation only
Reviewed, drilled, documented
- SOC 2 Type II audit in progress — controls mapped, evidence collection underway
- External penetration tests planned twice yearly once GA
- Documented incident response runbook with public status page
- Vendor security review on every third-party processor
Your data lives where you need it to.
Singapore, Frankfurt, Virginia — choose the region your data is stored in and processed from. Cross-region transfers happen only when you authorize them, and never without an audit record.
Found something? Tell us — we'll respond within 48 hours.
We work with security researchers to keep NewLedger trustworthy. Email [email protected] with details. We acknowledge within 48 hours, fix critical issues within 7 days, and recognize researchers publicly with consent.