Security

Treasury-grade data handling.

BackChannel handles payroll data, US bank routing numbers, CNPJ records, and financial transaction logs. We apply data handling controls appropriate for a company operating financial infrastructure in the BRL-USD corridor — not startup-casual, and without the opaque bureaucracy of a legacy bank. What we do and don't claim is stated precisely below.

TLS 1.3
Data in transit
AES-256
Data at rest
Encryption

Encryption at rest and in transit

TLS 1.3 in transit
All data in transit is encrypted using TLS 1.3. Connections to the BackChannel API and dashboard use HSTS-enforced HTTPS. Older TLS versions are disabled.
AES-256 at rest
Sensitive data fields (banking routing numbers, contractor personal data) are stored encrypted using AES-256. Encryption keys are managed separately from data stores.
Key management
Encryption keys are rotated on a regular schedule. Application credentials are stored in a secrets management system, not in source code or configuration files.
API security
API endpoints use HMAC-signed request authentication. Webhook payloads include a signature for payload verification. Rate limiting is applied on all endpoints.
Access Controls

Principle of least privilege

MFA required
Multi-factor authentication is required for all company user accounts. TOTP authenticator apps are supported. Email-only authentication is disabled after onboarding.
Role-based access
Company accounts support multiple user roles: Admin (full payroll access), Treasury Operator (run payroll, view reports), Read Only (view only). Contractor data is only accessible to authorized roles.
Audit logging
All actions on payroll data — uploads, FX conversions, approvals, user logins — are logged with timestamp, user identity, and IP address. Logs are retained for compliance purposes.
Session management
Sessions expire after 4 hours of inactivity. JWT tokens are short-lived. Concurrent session detection is in place for high-risk actions (payroll execution, user management).
Regulatory Posture

Banco Central do Brasil reporting alignment

BackChannel's operational workflow is designed to align with Banco Central do Brasil reporting obligations under Resolution 3.568. Each FX transaction generates a structured record suitable for BCB reporting purposes.

Every payroll run produces a transaction record including: CNPJ of the paying entity, contractor identifier, BRL amount, USD amount, exchange rate applied, IOF amount, and timestamp. These records are retained in compliance with BCB data retention requirements.

Accurate framing: BackChannel is designed to align with BCB reporting obligations — we are not claiming specific BCB authorization, registration, or certification as a financial institution. Your entity remains responsible for its own BCB filings. BackChannel supports that workflow with structured data output.

Security questions before onboarding? Send them to [email protected] — a real person reads that inbox.

Talk to Our Team