Stripe-Delegated Sanctions Compliance with supplementary platform controls, immutable audit logging, and GDPR/CCPA-compliant data handling.
exact.works delegates primary sanctions screening to Stripe, our payment processor. Stripe maintains comprehensive OFAC compliance programs and performs identity verification on all connected accounts. exact.works supplements this with additional platform-level controls to catch obvious bad actors before they reach Stripe onboarding.
Full compliance details are documented in our Platform Terms of Service, Section 1.8:
Defense-in-depth compliance controls
exact.works implements a multi-layered compliance architecture where Stripe serves as the primary screening authority, supplemented by platform-level controls at each stage of the seller onboarding and transaction lifecycle.
Stripe is documented as the primary sanctions screening provider in our Terms of Service.
Lightweight OFAC SDN check at account creation to catch obvious bad actors before Stripe.
Stripe account status verified at execution time for every transaction.
Every screening event logged permanently in the SanctionsScreening table.
Specially Designated Nationals List
Our Tier 2 screening checks names against the U.S. Treasury's OFAC Specially Designated Nationals (SDN) list. This is a supplementary check designed to catch obvious matches before they reach Stripe's more comprehensive screening.
Official OFAC SDN list downloaded directly from the U.S. Department of the Treasury website.
Automated cron job refreshes the SDN data daily with atomic pointer swap for zero-downtime updates.
SDN data stored in Vercel KV for low-latency serverless access with version control.
GDPR/CCPA Compliance
exact.works balances regulatory evidence requirements with data minimization principles. SanctionsScreening records are retained permanently for compliance, but personally identifiable information is minimized according to GDPR/CCPA.
IP addresses in SanctionsScreening records are automatically nullified after 90 days. A daily cron job at 3:00 AM UTC handles this cleanup.
Screening records themselves are NEVER deleted. They serve as regulatory evidence that compliance checks were performed.
While screening records cannot be deleted due to regulatory requirements, users may request access to their screening history and the personal data we hold. Contact [email protected] for data access requests.
SanctionsScreening Record Fields
Every screening event creates an immutable record in the SanctionsScreening table. These records support regulatory audits and demonstrate due diligence.
| Field | Type | Description |
|---|---|---|
| id | String | Unique screening event ID |
| userId | String | User being screened |
| screenedName | String | Name that was screened |
| screenedEntity | String? | Entity name (if applicable) |
| screenType | Enum | ACCOUNT_CREATION, TRANSACTION, MANUAL |
| screenMethod | String | OFAC_KV_CHECK, STRIPE_STATUS, etc. |
| result | Enum | CLEAR, POTENTIAL_MATCH, ERROR |
| matchDetails | JSON? | Match information if flagged |
| ipAddress | String? | IP address (nullified after 90 days) |
| screenedAt | DateTime | Timestamp of screening |
F500-grade security infrastructure
exact.works implements defense-in-depth security controls designed to meet the requirements of Fortune 500 procurement teams and enterprise security reviews.
All data stored in exact.works is encrypted at rest using AES-256. Database encryption is provided by Supabase infrastructure with customer-managed encryption keys available for enterprise plans.
All responses include security headers protecting against common web vulnerabilities.
All state-mutating operations are logged to an immutable audit trail with user context, timestamps, and action details.
HIPAA-pattern access logging tracks all data access during agent execution. Buyers can review exactly what data was accessed.
SAML 2.0 and OIDC single sign-on integration is available for enterprise customers. Contact our sales team to configure SSO with your identity provider (Okta, Azure AD, Google Workspace, etc.).
Contact [email protected] to discuss enterprise SSO requirements.
For questions about our compliance framework or to report a concern: