Last updated: May 28, 2026
Caplift is built around layered controls for authentication, validation, compliance gating, auditability, and controlled access to marketplace and underwriting workflows. The platform is designed to favor deterministic and explainable behavior over opaque or uncontrolled automation.
Access to sensitive features is derived from authenticated user state, role, account tier, and compliance metadata enforced at the server level. Institutional and marketplace features (currently under development) are designed to require verified investor status, jurisdiction eligibility, and compliance clearance before any access is granted. These controls are enforced server-side and are not bypassable through client-side state.
Investor onboarding includes staged identity, accreditation, KYC/AML, disclosure, and signature workflows. Additional suitability, jurisdiction, target-market, explainability, reserve-control, and audit constraints are applied in specific marketplace and structured-credit flows.
Caplift implements CORS restrictions, security-header configuration, validation limits, audit logging, and deterministic fallback behavior for degraded external services. Production systems use hardened hosting, secrets management, monitoring, and infrastructure controls.
Caplift includes structured audit logging and durable control logging patterns for key compliance, reserve, and transactional workflows. These controls are intended to support internal review, incident response, regulatory examination readiness, and investor diligence.
No system can guarantee full legal or security compliance across all jurisdictions. Formal readiness depends on configuration, vendor management, access governance, incident response, penetration testing, legal documentation, data mapping, retention enforcement, and independent review.
Security concerns may be reported to admin@caplift.ca.
Submit a security concern or vulnerability report.