Compliance
Designed for Nacha Phase 2 vendor-verification recordkeeping.
BankChangeGuard is designed to help document one component of your risk-based vendor-account-change control process. We do not provide legal, accounting, insurance, Nacha, or regulatory advice. We do not certify your compliance. We give you records (channel, timestamp, attestation, evidence hash) for your CPA, auditor, and cyber-insurance broker to evaluate, subject to their own review.
Nacha alignment
What BankChangeGuard records, alongside Phase 2 expectations.
| Requirement (Phase 2 effective June 22, 2026) | What BankChangeGuard documents |
|---|---|
| Risk-based account-ownership verification of new vendor accounts | Callback workflow to the previously-verified vendor contact by email, one-time code, recipient attestation captured verbatim. |
| Records that may support customer audit preparation | Per-event audit PDF: timestamps, channel, attestation text, evidence SHA-256 hash, change-detected → verified time delta, subject to your bank, auditor, Nacha obligations, internal controls, and legal/compliance review. |
| Out-of-band verification (not the channel that requested the change) | We send the callback to the contact-on-file from before the change request — not to the email that initiated the change. |
| Originator-side control evidence — not bank-side KYC | BCG records support your originator-side risk management. Your bank still performs its own KYC and Nacha-rule compliance. |
This table addresses vendor account-ownership verification only. Nacha's risk-based fraud-monitoring expectations are broader, and BankChangeGuard is one input to your overall control framework, not a complete program. Phase 1 (effective March 20, 2026) and Phase 2 (effective June 22, 2026) dates are drawn from Nacha ACH Operations Bulletin #1-2024; confirm current requirements against the Nacha rulebook.
What we document
Concrete, exportable evidence of the verification performed.
- Change-logged timestamp (bookkeeper-initiated, user-actor recorded)
- Old account last-4 and new account last-4 (last 4 digits only; full account numbers and routing numbers are never stored)
- Verification channel: email, sent to the previously-verified contact
- Recipient attestation text (verbatim, in the recipient's own words)
- Response timestamp + channel signature
- Evidence SHA-256 hash binding the record to the event
- PDF export with cover page disclosing what the record is, and is not
What we do not claim
What BankChangeGuard does not do.
- BankChangeGuard is NOT Nacha-certified. Nacha does not certify or validate third-party fraud-monitoring products.
- BankChangeGuard does NOT originate ACH transactions, move money, or hold customer funds.
- BankChangeGuard does NOT determine whether any vendor, account, or payment is legitimate or safe, and does NOT guarantee fraud prevention. The decision to release, hold, or escalate a payment is yours.
- BankChangeGuard does NOT independently verify bank-account ownership. Email callback to a previously-verified contact is a workflow control, not bank-account ownership verification.
- No audit PDF guarantees admissibility in court, acceptance by an insurer or auditor, Nacha compliance, or litigation value.
- BankChangeGuard does NOT replace your bank's KYC obligations or your accounting firm's internal controls.
- BankChangeGuard does NOT provide legal, accounting, insurance, Nacha, or regulatory advice. Records are evidence for your CPA, auditor, and cyber-insurance broker to interpret.
Audit PDF: no third-party reliance.
Each audit PDF records only the workflow steps BankChangeGuard performed based on the data you provided. It does not prove that the responding person was authorized, that an email account was uncompromised, that a bank account belongs to a vendor, that you should release payment, or that the record will be accepted by any court, insurer, auditor, bank, regulator, or Nacha participant. BankChangeGuard makes no representation to any third party, and no one should rely on the PDF as proof that any payment is legitimate. The evidence hash is intended to help detect later alteration of the exported record; it is not a forensic certification or independent identity verification. See the no-third-party-reliance clause in the Terms of Service.
Security
Controls implemented in production.
The controls below are implemented in production as of 2026-05-31, except where expressly marked planned. This page describes our current architecture and operational commitments for transparency; the binding terms governing the Service are the Terms of Service and the Data Processing Addendum. An internal security evidence pack is available under NDA.
Transport encryption
HTTPS / TLS 1.2+ for every request. HSTS (Strict-Transport-Security) on the production domain with a two-year max-age and includeSubDomains. No mixed-content or HTTP fallbacks.
At-rest encryption
Database encryption at rest (Neon-managed AES-256). OAuth tokens encrypted with rotation. Audit PDFs are generated on demand from the canonical event record and streamed to the authenticated customer over TLS; they are not stored as static files.
Webhook signature verification
Incoming billing webhooks from Polar (our Merchant of Record) are verified against the signing secret before processing; the handler is idempotent on the subscription state, so retries are safe.
Rate limiting
Per-IP rate limits on public endpoints (waitlist and vendor verification responses), surfacing 429 with a Retry-After header when triggered. Cron endpoints are protected by a constant-time-verified bearer secret rather than IP rate limits.
Access controls
Production access is restricted to authorized personnel under least-privilege, with audit logging on every administrative action. No standing access to customer audit records.
Incident response
Report to security@bankchangeguard.com; we aim to acknowledge within one business day. We notify affected customers of a personal-data breach without undue delay after becoming aware.
Sub-processors
Every system that touches your data.
Mirrored here for vendor due diligence. The canonical, authoritative list lives at /subprocessors, which the Terms, Privacy Policy, and Data Processing Addendum all reference so the list cannot drift between pages. We give at least 30 days' notice before adding or replacing a subprocessor that processes Customer Personal Data (shorter where urgent security, availability, or legal reasons require), and customers may object on reasonable data-protection grounds.
| Sub-processor | Purpose | Region | Data |
|---|---|---|---|
| Vercel | Application hosting, edge functions, static asset delivery | United States (iad1) | Application traffic + service logs |
| Neon | Primary Postgres database — waitlist signups and application data | United States (US East) | Vendor metadata, audit-trail events, account data, waitlist emails |
| Polar | Merchant of Record for subscription billing and payment processing | United States | Billing contact email, Polar customer ID, card last-4 |
| Resend | Transactional email for vendor verification codes | United States | Recipient email, message content, delivery status |
| Intuit | QuickBooks Online OAuth, vendor list, and verified contact sync (read-only) | United States | OAuth tokens (encrypted at rest) |
Incident disclosure
If something goes wrong, here is how to tell us.
Report a suspected security incident, vulnerability, or data exposure to security@bankchangeguard.com. We aim to acknowledge within one business day and triage promptly. We notify affected customers of a personal-data breach affecting their Customer Data without undue delay after becoming aware, and provide the information reasonably available to help them meet their own obligations.
SOC 2 status
We have not completed a SOC 2 examination and do not hold a SOC 2 report. SOC 2 Type I is planned. An internal security evidence pack (access logs, change management, vendor management, incident response) is available under NDA to enterprise prospects.
FAQ
Questions CPA partners and insurance brokers ask.
Will my CPA accept the audit PDF as Nacha Phase 2 evidence?
What happens if a vendor does not respond to the verification callback?
What about Nacha Phase 1 originators above the volume threshold?
Will this work for our cyber-insurance application?
What is your SOC 2 status?
Are you a financial institution, and what about GLBA?
Ready to put the records in your CPA's hands?
See exactly what the audit document looks like, then decide whether the workflow is worth $99/month for your firm, subject to your own bank, auditor, and compliance review.