Built for sensitive financial workflows.
Listra processes invoices, payment data, vendor information, and contract terms. We built the platform with encryption, access controls, audit trails, and tenant isolation at the core. Below is exactly how each works.
Compliance and certifications
SOC 2 readiness underway
We are preparing for formal audit. Security questionnaire and DPA available on request to qualified prospects.
SOX-ready audit trail
Every action Listra takes is logged with the evidence consulted, the policy applied, the user (or system) who authorized it, and the timestamp. The trail is queryable, exportable, and tamper-evident.
GDPR and privacy
DPA available on request. GDPR support available for applicable customers. EU data residency on roadmap.
Infrastructure
Encryption
AES-256 at rest. TLS 1.2 or higher in transit. Keys managed via AWS KMS with rotation policies in place.
Cloud architecture
AWS infrastructure with network segmentation, hardened images, and continuous monitoring. Multi-tenant architecture with company-level data isolation enforced at the API, database, and query layers.
Backup and recovery
Continuous backups with point-in-time recovery. RPO and RTO targets defined per tier; details in the security questionnaire.
Identity and access
Single sign-on
SAML 2.0 SSO via your identity provider. Provisioning and de-provisioning automated where SCIM is supported.
Multi-factor authentication
MFA enforced for high-value approvals and administrative actions. Configurable per role.
Role-based access control
Thirty permission categories with action-level granularity. Pre-built role templates for AP Specialist, AP Manager, Controller, CFO, and Admin. Full customization available.
Data handling
Tenant isolation
Every customer's data is logically isolated. Listra's reasoning on a given invoice draws only on that customer's data, integrations, and policies.
Human-in-the-loop by default
Listra ships configured to operate in Copilot mode for every exception type. Autopilot is enabled per exception type only after the customer reviews accuracy data and authorizes the change.
Questions about how we handle your data?
For security questionnaires, the latest SOC 2 status, sub-processor list, and incident reporting policy, contact security@listra.ai.