Escrow Status Verification API • Security-first by design

Know if a consumer is already in escrow — fast. Securely.

TrustFi is the go-to verification layer for debt settlement providers (DSPs) and partners who need to determine whether a prospective customer is already enrolled in escrow — without leaking PII or expanding your risk surface.

Request a Demo Read the API Docs See Security Model

Built for SOC 2 alignment. Designed around least privilege, auditability, and “assume breach” architecture.

Example — escrow status lookup

TLS HMAC KMS

POST /v1/escrow/status
Authorization: Bearer <token>
Content-Type: application/json

{
  "lookup": {
    "hmac_sha256": "b64:QH4...==",
    "salt_id": "rot-2025-12"
  },
  "consent": {
    "method": "e-signed",
    "timestamp": "2025-12-22T17:46:00Z"
  }
}

Response — minimal, auditable, safe

no raw PII trace_id

{
  "status": "enrolled",
  "escrow": {
    "provider": "trusted_partner",
    "state": "active"
  },
  "decision": {
    "recommended_action": "route_to_retention",
    "confidence": "high"
  },
  "trace_id": "tf_6b1f4d..."
}

Designed to be boring for attackers Minimal data exposure + strict controls.

Fast for operators Low-latency API + clear decisions.

Security is the product.

TrustFi is built like a vault: encryption everywhere, keys that rotate, strict access boundaries, and an audit trail you can stand behind. If it can’t be measured, monitored, and proven — it doesn’t ship.

Encryption Everywhere

TLS in transit • Encryption at rest

We treat plaintext as an incident. Data is encrypted at rest and protected in transit.

TLS enforced end-to-end
Encrypted storage + backups
Secrets never committed to code

Key Management

KMS envelope encryption + rotation

Keys rotate. Access is scoped. Crypto is handled by hardened primitives and audited controls.

Envelope encryption using KMS
Rotating key / salt identifiers
Granular IAM policies

PII-Minimizing Lookups

HMAC-based matching

Don’t send raw identifiers. Match with HMAC fingerprints so sensitive fields are never exposed in logs or payloads.

HMAC SHA-256 lookup tokens
No raw PII required for status
Structured, privacy-safe responses

Defense-in-Depth

Least privilege by default

Every permission is intentional. Every system boundary is enforced.

Role-based access controls
Service-to-service auth
Scoped tokens + short TTLs

Auditability

Immutable logs + traceability

Every request can be tied back to a trace ID for forensic clarity and operational confidence.

Request/decision audit trail
Trace IDs in every response
Anomaly monitoring hooks

Abuse Resistance

Rate limiting + throttles

We assume bots will try. We design to stop them before they learn anything.

Per-client rate limits
IP/device heuristics (optional)
Replay & abuse detection patterns

Built for DSP operators who move fast — without breaking trust.

When a lead hits your funnel, you need to know the truth quickly: are they already enrolled? should they be routed? should they be suppressed? TrustFi gives you an answer you can use — with a security posture you can defend.

Reduce duplicate enrollments

conversion

Stop wasting calls and compliance exposure by verifying escrow status before you push a full pitch.

Improve routing decisions

ops

Route “already enrolled” leads to retention/review flows — and keep your pipeline clean.

Minimize PII spread

privacy

Use HMAC fingerprints instead of shipping raw identifiers across vendors and systems.

Be audit-ready by default

risk

Trace IDs, logging discipline, and least-privileged access patterns support SOC 2-aligned operations.

How it works

The goal is simple: produce an escrow enrollment status signal while keeping sensitive data exposure as close to zero as possible.

Client-side hashing

Generate an HMAC fingerprint

DSP systems compute an HMAC of stable identifiers using a rotating secret/salt id — no raw PII required in the lookup.

Secure lookup

Query the status endpoint

Requests are authenticated, rate-limited, logged, and verified. Responses return only what you need to route.

Decision-ready

Act immediately

Use the result to suppress duplicates, route to retention, or continue the standard enrollment journey.

Want the “bad to the bone” security walkthrough?

We’ll show the architecture, key rotation approach, audit trail, and operational controls — and how to deploy TrustFi into a DSP funnel without slowing sales.

API Docs Request a Demo

API & integration

Keep it simple: one integration, clear status signals, and guardrails baked in.

Docs

Readable docs, predictable endpoints

Clean request/response contracts with trace IDs for debugging and audits.

Open API Docs

Auth

Scoped tokens + tight permissions

Only what you need. Nothing you don’t. Least-privilege is the default posture.

Enterprise

Controls for real operators

Rate limits, monitoring hooks, audit trails, and deployment playbooks for DSP workflows.

Request a Demo