Security & Trust

Built for sensitive financial workflows.

Listra processes invoices, payment data, vendor information, and contract terms. We built the platform with encryption, access controls, audit trails, and tenant isolation at the core. Below is exactly how each works.

SOC 2 Type II
Readiness in progress
AES-256 encryption
At rest and in transit
AWS infrastructure
US-based and hardened
SSO and MFA
SAML 2.0, required
GDPR and DPA
Available on request
Trust at a glance

Compliance, infrastructure, and access in one view.

The controls that finance and IT leaders want to verify before signing a security questionnaire.

Compliance

  • SOC 2 Type II In progress
  • SOX-ready audit trail Live
  • DPA and GDPR Available
  • EU data residency Roadmap

Infrastructure

  • AES-256 at rest Live
  • TLS 1.2+ in transit Live
  • AWS KMS rotation Live
  • Point-in-time backup Live

Identity and access

  • SAML 2.0 SSO Live
  • SCIM provisioning Live
  • MFA on high-value Required
  • Thirty RBAC categories Live
Tenant isolation

Your data does not touch any other customer's.

Isolation is enforced at every layer, not bolted on at the application level. Listra's reasoning on a given invoice draws only on that customer's data, integrations, and policies.

Customer A
API gatewayAuth-scoped
Database schemaTenant-keyed
Query layerRow-level enforced
AI reasoningCustomer scope only
Customer B
API gatewayAuth-scoped
Database schemaTenant-keyed
Query layerRow-level enforced
AI reasoningCustomer scope only
No shared data path
Every layer enforces isolation independently. A failure at one layer is caught by the next. Customer A's reasoning never sees Customer B's data.
What we do not do

Clear boundaries on what we do with your data.

Finance and IT leaders are right to ask what a vendor will not do with their data. The boundaries below are not optional. They are how the platform was built.

No training on your data

Customer data is not used to train models that serve other customers.

No cross-customer reasoning

Listra's reasoning on your invoice draws only on your data and policy.

No data sale or sharing

Your data is never sold or shared with third parties for any commercial purpose.

No unbounded posting

No autonomous GL posting outside the policy and thresholds you configure.

The detail

How each control works.

Full detail is available in our security questionnaire and DPA. The summaries below cover what most finance and IT teams ask first.

Encryption

AES-256 at rest. TLS 1.2 or higher in transit. Keys managed via AWS KMS with documented rotation policies.

Cloud architecture

AWS infrastructure with network segmentation, hardened images, and continuous monitoring. Multi-tenant with company-level isolation at the API, database, and query layers.

Backup and recovery

Continuous backups with point-in-time recovery. RPO and RTO targets defined per tier. Detail in the security questionnaire.

Identity provisioning

SAML 2.0 SSO via your identity provider. SCIM automates provisioning and de-provisioning where supported.

Role-based access

Thirty permission categories with action-level granularity. Pre-built roles for AP Specialist, AP Manager, Controller, CFO, and Admin. Full customization available.

Human-in-the-loop default

Listra ships in Copilot mode for every exception type. Autopilot is enabled per exception type only after you review accuracy data and authorize the change.

Trust center

Questions about how we handle your data?

For security questionnaires, the latest SOC 2 status, sub-processor list, and incident reporting policy, contact .

Book a demo