Standards & security

Institutional. Isolated. Documented.

Last updated: May 2026  ·  England and Wales

Treasury infrastructure should be held to the same standard as the decisions it supports. This page documents how Treasurii is built — the data isolation model, the audit architecture, the security controls, and the regulated partners that sit beneath the execution layer.

For detailed controls documentation, contact compliance@treasurii.co.uk.

Common questions

Is Treasurii FCA-regulated?

No. Treasurii is a treasury-management technology platform and is not itself authorised or regulated by the Financial Conduct Authority (FCA). Treasurii does not execute FX trades, hold or control client money, or provide regulated investment advice. FX execution, custody of client funds, and KYC/AML are carried out by FCA-authorised execution partners under their own permissions. Treasurii provides the software layer that sits above that regulated execution — exposure capture, hedge designation, policy monitoring, valuation, and reporting.

Does Treasurii hold client money?

No. Treasurii never holds or controls client funds. Client money is held by FCA-authorised execution and payment partners under their own regulatory permissions; Treasurii instructs and records activity but does not move or custody funds itself.

Who is authorised to execute FX trades placed through Treasurii?

FX execution is performed by FCA-authorised execution partners under their own permissions. Treasurii is the technology layer that captures exposures, designates hedges, monitors policy, values positions, and produces the audit and reporting record.

Does Treasurii hold a SOC 2 attestation?

No. Treasurii does not currently hold a SOC 2 attestation. Customer data is stored in the EU (Supabase, Ireland region; AWS eu-west-1), audit records are immutable, and our security controls are available for review under NDA. We will update this when an independent attestation is in place.

1. Institutional standards

Treasurii is built to the standard institutional treasury teams expect from their core infrastructure — not the standard of a SaaS dashboard bolted onto a spreadsheet workflow.

What that means in practice:

  • Every trade generates an immutable audit trail from execution to settlement
  • Every data access is isolated at the database layer — not the application layer
  • Every rate used for MTM and settlement is sourced from a referenced market data provider
  • Every policy decision is documented, timestamped, and linked to the user who made it
  • Every export is reproducible — the same query run today or in seven years produces the same result

These are not features. They are architectural requirements that we treat as non-negotiable.

2. Regulated execution partners

Treasurii is a technology platform. Treasurii is not authorised by the FCA. We do not hold client funds, do not act as a principal in FX transactions, and do not provide payment services in our own name. Any client that wishes to execute trades or move funds through the platform onboards directly with one of our FCA-authorised execution partners; the partner performs KYC, AML, suitability, client-money handling, and execution under their own regulatory permissions. Treasurii transmits instructions to the partner's API and surfaces the resulting confirmations and audit records back to the client.

This means:

  • Client funds are held by FCA-authorised execution partners with their own safeguarding obligations
  • Execution and settlement are carried out under the regulatory framework of the relevant execution partner
  • Treasurii's role is to record the trade, log the evidence, and connect the execution to your exposure and reporting data — software, not regulated activity

We will publish details of our execution partners and their regulatory status as we onboard them. If you have specific due diligence requirements regarding our execution partners, contact compliance@treasurii.co.uk.

3. Execution evidence

Execution is performed by FCA-authorised partners (see section 2). Treasurii's role is the record: every trade is held as an immutable, tamper-evident entry, with the rate detail captured against it.

The trade record

Treasurii records against each immutable trade record:

  • Client rate: the rate at which the trade is executed.
  • Mid at booking: the interbank mid rate recorded when the trade is booked.
  • Spread: the difference between the mid and client rate, in pips and base-currency value.
  • Settlement rate: recorded against the trade once it settles.

Pre-trade checks

Before any trade is submitted, Treasurii automatically runs counterparty credit limits, concentration limits, tenor limits, and policy compliance checks. Trades that would breach a hard limit are blocked at submission, not after execution.

Trade-record evidence

Every trade generates an immutable record that cannot be modified or deleted after creation — append-only, with deletion denied at the database layer and protected by an audit-log trigger. The Trade Confirmation Audit Trail report compiles the confirmation log. These records are available for export at any time. Trade records are retained for a minimum of seven years; records are immutable and not deleted.

4. Data isolation

Treasurii uses row-level security (RLS) enforced at the database layer — not the application layer. Every query against customer data is filtered by organisation at the database level. Even in the event of an application bug, one customer's data cannot be read by another customer's session.

Within each organisation, data is further isolated by legal entity. Users with access to one entity cannot access another entity's data unless explicitly granted permission. This isolation is structural, not policy-based.

5. Audit trail

Every action taken on the Treasurii platform generates an immutable audit log entry recording what happened, who did it, and when. The log is append-only — entries cannot be modified or deleted after creation by any user, including Treasurii staff.

This means that when an auditor, a board member, or a regulator asks to see the decision trail for any trade, the answer is a single export that traces from the original exposure through the hedge decision, execution, confirmation, and settlement — with timestamps, user names, and rate references at every step.

6. Security controls

Key security controls include:

  • Encryption in transit: TLS 1.2 or higher on all connections. HSTS enforced.
  • Encryption at rest: AES-256, managed by Supabase with HSM key management.
  • Authentication: Multi-factor authentication required for all platform accounts.
  • Data residency: All customer data stored in the EU (Ireland region). No data stored outside the UK/EEA.

For the full security controls documentation, see our security page.

7. Complaints

If you have a complaint about our services, contact us in the first instance:

  • Email: complaints@treasurii.co.uk
  • We aim to acknowledge all complaints within 3 business days and resolve them within 15 business days.

8. Contact

For standards and security enquiries, due diligence requests, or controls documentation: