Architecture
PredSouq is a multi-tenant SaaS platform. Each broker is a separate tenant with fully isolated data. The operator runs their own branded trader-facing app and retains control over their PSP, KYC provider, and trading ledger. PredSouq never touches end-user funds.
hosted on broker's domain → PredSouq API
tenant-scoped, RLS enforced
Non-custodial by design
PredSouq is not a financial institution, does not hold a money services licence, and never holds, commingles, or transmits end-user funds. All deposits and withdrawals are processed by the operator's own PSP under the operator's own licence.
Row-Level Security tenant isolation
Every table that contains tenant data is protected by Postgres Row-Level Security (RLS) policies enforced at the database layer. This is not application-level filtering — it is a database-enforced constraint. Even a compromised application layer cannot read another tenant's data.
tenant_id column — enforced at the Postgres layerapp.current_tenant session variable; all queries are automatically scopedVerifiable HMAC audit chain
Every ledger entry, trade, settlement, and operator action is recorded in an append-only audit log. Entries are HMAC-chained: each record includes the hash of the previous record. Any insertion, modification, or deletion of a historical record breaks the chain and is immediately detectable.
GET /v1/audit/status.POST /v1/reconcile verifies that the double-entry ledger sums to exactly zero. Runnable on demand or scheduled.AML & KYC workflow
The platform ships a complete AML lifecycle integrated into the operator console. Operators connect their existing KYC provider (Sumsub, Onfido, or custom) via a signed webhook — no migration required.
| Control | Description |
|---|---|
| KYC tiers | Configurable tiers (0 = unverified, 1 = basic, 2 = enhanced). Deposit and withdrawal limits are gated per tier. |
| KYC relay webhook | Provider posts a signed result to /kyc/inbound/:tenantId. Signature verified before any update. |
| Pending review queue | Accounts in "pending" KYC status are surfaced in the console for manual review and approval. |
| SAR / STR workflow | Operator can file a Suspicious Activity Report or Suspicious Transaction Report from within the console. Lifecycle tracked with timestamps and operator ID. |
| Jurisdiction policy | Allowlist of permitted jurisdictions enforced at account creation and deposit. US and OFAC-sanctioned jurisdictions are platform-level blocked and cannot be enabled. |
| Automated AML flagging | Surveillance engine flags abnormal stake size (z-score), velocity bursts, insider timing, and unusual deposit patterns. Flags are reviewed in the console's compliance panel. |
Sanctions & adverse media screening
The platform integrates with World-Check, ComplyAdvantage, or any compatible sanctions screening provider via a signed webhook relay. Screening runs on user creation and on a configurable schedule (daily / weekly).
Access control & staff authentication
Staff access is role-based. Sensitive operations require step-up authentication. All staff actions are attributed in the audit chain.
| Role | Permissions |
|---|---|
| owner | Full access including staff management, policy write, and settlement. Required step-up for destructive actions. |
| admin | Full operational access. Cannot manage other staff accounts. |
| support | Read access + withdrawal approval. Cannot create markets or modify policy. |
| api key (admin) | Programmatic full access. Used for backend integrations. Scoped to one tenant. |
| api key (public) | Read-only market data and trader-facing operations. Cannot access reports or compliance data. |
Data storage & residency
All data is stored in a managed Postgres database. The region is configurable at contract time. Enterprise tenants receive a dedicated database instance with Point-In-Time Recovery enabled.
| Item | Detail |
|---|---|
| Database | Managed Postgres (DigitalOcean Managed Databases or customer-specified). PITR enabled on Enterprise. |
| Encryption at rest | AES-256. Managed by the database provider. Tenant secrets (API keys, webhook secrets) additionally encrypted with a tenant-specific key derived from the master key. |
| Encryption in transit | TLS 1.2+ enforced end-to-end. HSTS preloaded. No plain-HTTP fallback. |
| Data residency | Default: EU-West (Amsterdam). GCC/UAE region available for Enterprise. Confirm at contract. |
| Backups | Daily automated snapshots, 7-day retention (Pilot/Professional). PITR with 30-day retention (Enterprise). |
| PII handling | Trader PII (name, email, phone) stored in the tenant's own ledger. PredSouq does not export or transmit PII to third parties without operator instruction. |
| Data deletion | On contract termination, tenant data is purged within 30 days. Audit log is retained for 7 years for AML compliance unless jurisdiction requires otherwise. |
Pen-test & production hardening
The platform ships with a documented pen-test readiness checklist and security review scope document. Enterprise tier includes a third-party pen-test certification as part of the implementation fee.
scripts/golive-verify.sh) covering health, audit chain, ledger, treasury, headersIncident response
Operators have platform-level tools to respond to incidents without waiting for PredSouq support.
scripts/restore-check.sh) are included. Enterprise: PITR + standby node.Responsible disclosure
We welcome security researchers. If you discover a vulnerability, please report it privately before public disclosure so we can investigate and remediate.
Report vulnerabilities to [email protected]. Include a description, steps to reproduce, and potential impact. We target a first response within 24 hours and a resolution timeline within 72 hours for critical issues. We do not pursue legal action against good-faith researchers.
Report a vulnerabilityFor enterprise security reviews, pen-test scheduling, or to request the full SECURITY-REVIEW-SCOPE and PEN-TEST-READINESS documents, contact [email protected].