Executive Summary
AI-generated analysis for SoFi
SoFi (sofi.com) is a publicly traded financial technology company operating across lending, banking, investing, and insurance verticals. This investigation assigns a Tier 3 (Moderate Risk) rating with 94% confidence, reflecting a vendor with strong institutional foundations and notable security signals, alongside several transparency gaps that warrant attention before onboarding at a high data access level. SoFi presents several meaningful positive signals:
Key Findings
- The domain sofi.com has been registered since 1997 and archived since 1998, confirming an exceptionally well-established online presence spanning nearly three decades.
- The domain resolves behind Cloudflare's CDN with a clean IP abuse score (0%), a clean Malware detection service result, and a threat score of 0 on independent website scanning.
- Infrastructure scanning detected no known CVEs against SoFi's externally visible IP addresses.
- SoFi's HTTP security implementation received a B grade (75/100) from independent header analysis, with HSTS enforced.
- SoFi claims SOC 2 compliance on a dedicated security page (https://security-info.sofi.com/), which represents a vendor-attested signal. A possible HITRUST directory match was also found, though manual verification is required.
- Sanctions and watchlist screening returned no confirmed matches — all three results were below confidence threshold and flagged as likely false positives.
- Recent adverse media scanning returned zero risk signals across all articles reviewed.
- SoFi discloses the use of Anthropic as a third-party AI provider and states that customer data is not retained after AI processing, which is a constructive transparency signal. Several areas require attention prior to or shortly after onboarding:
- SoFi's infrastructure exposes 13 open ports externally, above the typical SaaS baseline. While all ports appear to be standard Cloudflare-proxied web services with no detected CVEs, the footprint should be reviewed and justified.
- Certificate Transparency logs reveal 46 distinct certificate issuers across 136 subdomains, which may indicate inconsistent certificate lifecycle management across product lines.
- Two HTTP security headers — Content-Security-Policy and X-Frame-Options — are absent from the primary domain, creating a gap in browser-side client protection.
- No public subprocessor list was found at any standard path, limiting supply chain visibility and creating a gap under GDPR Article 28 assessment frameworks.
- No public trust center or security page was found at standard paths (e.g., trust.sofi.com, security.sofi.com) — the security page discovered at https://security-info.sofi.com/ was identified via certification registry lookup rather than standard discovery.
- SoFi's AI data usage policy does not clearly state whether customer data is used for AI model training, which is a material gap for organizations with sensitive data in scope.
- The AI policy discovery source appears to be an editorial/educational article rather than a formal enterprise AI data policy, which reduces confidence in the zero-retention claim. Overall, SoFi is a well-established, publicly traded financial institution with a credible security posture and no active threat indicators. The Tier 3 rating reflects documentation and transparency gaps — particularly the absence of a verified SOC 2 Type II report, no published subprocessor list, and an ambiguous AI training commitment — that are addressable through direct vendor engagement.
Independence Statement
All evidence in this report was independently sourced from external data providers, public registries, and open-source intelligence without vendor participation or prior notification.