Evidence infrastructure for mortgage servicing

NewBridge Pathway

Pre-qualification posture

Security and compliance approach

Last updated: 12 May 2026

NewBridge Pathway is a research-led advisory firm in the pre-commercial-engagement stage. This page documents our current security and compliance posture plainly: what exists today, what is not yet in place, and what triggers the next maturity step. We do not maintain a third-party trust portal at this time.

Current posture

NewBridge Pathway is building toward an assurance posture suitable for SOC 2, ISO 27001, or Cyber Essentials Plus when commercial triggers justify it. We do not currently present third-party assurance badges. Our current posture is based on documented operating controls, restricted access, protected source control, controlled evidence handling, incident-response discipline, and engagement-specific data handling. Formal assurance, insurance certificates, and buyer questionnaire responses are handled as part of regulated commercial engagement readiness.

What is in place today

The controls below are documented and operated as standard practice. Detailed control descriptions and the specific tooling that supports each control are made available to buyer procurement teams under non-disclosure at commercial engagement.

  • Operating controls are documented and reviewed; the documentation is maintained internally rather than published.
  • Access is restricted to named individuals; shared credentials are not used; operational secrets are held in a password manager with named-user access only.
  • Source control is protected through protected branches, merge approval controls, named-reviewer requirements, and separated billing and admin boundaries between operating-entity namespaces.
  • Evidence received from research correspondents or engagement counterparts is handled under selective-sharing discipline. See the risk management approach for the engagement-specific posture.
  • Incident response follows a written internal protocol covering detection, containment, evidence preservation, notification, and post-incident review.
  • Engagement-specific data handling: each commercial engagement carries a defined scope of access, retention, and end-of-engagement deletion or transfer.

What is not in place yet

We name the gaps directly. These are the typical state of a pre-commercial-engagement advisory firm; they are closed in the sequence described under triggers and roadmap below.

  • Independent third-party assurance attestations such as SOC 2 Type I or Type II, ISO 27001, or Cyber Essentials Plus.
  • An annual policy review cycle formally documented and externally observable.
  • A separately constituted information security function with a named Chief Information Security Officer.
  • A board of directors providing independent oversight of operational risk.
  • Insurance certificates of currency available for inspection – see the insurance section below.
  • Registration in financial-services supplier pre-qualification registries used by buyer procurement teams.

Insurance

Professional Indemnity / Errors & Omissions and Cyber Liability coverage will be arranged as part of regulated financial-services engagement readiness. Certificates of currency will be made available to clients where required by contract or onboarding.

Engagement-specific controls

Each commercial engagement carries:

  • A signed non-disclosure agreement before exchange of client materials.
  • A defined scope of access – typically materials provided by the engagement counterpart, not direct access to live production systems unless explicitly required by scope.
  • Documented communication channels for engagement-related materials.
  • A defined retention and deletion posture at engagement close.
  • A named NewBridge point of contact, with backup contact identified at engagement start.

Triggers and roadmap

Independent assurance milestones will be sequenced with regulated commercial engagement requirements and platform maturity. We do not commit publicly to specific calendar dates for independent assurance attestations; assurance investment is justified by the buyer profile and revenue line that requires it.

The general sequence:

  • Pre-engagement (current). Documented controls, written policies, incident-response protocol, engagement template, monthly internal management information review.
  • First regulated commercial engagement. Insurance coverage in place, controls documented in a form suitable for buyer questionnaire response, named individuals accountable for security, privacy, and operational continuity.
  • At scale. Independent third-party assurance attestation, with the attestation type chosen by buyer profile and audit cost. Supplier pre-qualification registry registration where commercially justified.

How to request more detail

Buyer procurement teams: detailed control descriptions, insurance certificates of currency, sub-processor information, and buyer-questionnaire responses are provided under non-disclosure at commercial engagement. For press, partners, or general inquiries, the contact pathways on the contact page are the correct route.

Related