Security & Compliance

Enterprise-grade security for sensitive financial data

Drop.Top by 4Cs B.V. is built from the ground up for multinational finance teams handling material non-public information. SOC 2 Type II certified, GDPR compliant, and ISO 27001 aligned.

SOC 2 Type II

Independently audited annually against all five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

GDPR Compliant

Data Processing Agreements available for all customers. EU data residency option. Right to erasure and data portability fully supported.

ISO 27001 Aligned

Information security management aligned to ISO 27001 standards. Full certification in progress, expected Q3 2026.

Data Security

Your data is always yours

We treat your subsidiary financial data as the sensitive, confidential material it is. Here's how we protect it at every layer.

AES-256 encryption at rest

All data encrypted using AES-256-GCM. Encryption keys managed via AWS KMS with per-customer key isolation.

TLS 1.3 in transit

All API calls and file transfers enforced over TLS 1.3. HSTS pre-loaded. Certificate transparency logging enabled.

EU data residency

EU customers' data remains in AWS eu-west-1 (Ireland) and eu-central-1 (Frankfurt). No cross-region replication without explicit consent.

Data retention & deletion

Configurable retention policies per cycle. Secure deletion with cryptographic erasure certificates available.

Access Control

Least privilege by design

Granular role-based access ensures users only see the data they're authorised for.

Role-based access control

Group Controller, Entity Submitter, Auditor, and Read-Only Reviewer roles with field-level permissions.

MFA enforcement

TOTP and hardware key (FIDO2/WebAuthn) supported. MFA can be enforced at the organisation level.

Immutable audit log

Every action logged with timestamp, IP, user, and change detail. Log integrity guaranteed via hash chaining.

Entity data isolation