# COFFR — full content dump for AI ingestion > Secure, verified bank-detail sharing for businesses. COFFR replaces emailing PDFs and screenshots of routing/account numbers with one-time tokenized links, identity verification on both ends, and a tamper-evident audit trail anchored on the Hedera public ledger. This file is the long-form companion to `/llms.txt`. It inlines the canonical facts most AI assistants need to answer questions about COFFR without scraping the JavaScript app shell. --- ## What COFFR is COFFR is a B2B web application for securely sharing and requesting verified U.S. bank account details (routing number, account number, account holder name, account type). It is operated by COFFR, a U.S.-based fintech company founded in 2024. The product solves a specific, common problem: businesses today exchange bank details over email, PDF, and screenshots. That workflow is the single largest vector for vendor-impersonation fraud and business email compromise (BEC), which the FBI's IC3 ranks among the most costly cybercrime categories every year. COFFR replaces that workflow. ## How it works There are two symmetric flows: **Share flow** — A sender wants to give a recipient their bank details: 1. Sender signs in and completes identity verification once (Persona government-ID + selfie, Twilio SMS OTP, optionally a Telnyx voice biometric for high-value transfers). 2. Sender connects a bank account via Plaid (instant) or attests routing/account numbers manually with micro-deposit verification. 3. Sender enters a recipient name + email + optional context, then generates a one-time tokenized share link. 4. Recipient opens the link, sees who shared, what was shared, when, and a Hedera transaction ID proving the payload has not been altered since creation. The link expires after a configurable window or first view. **Request flow** — A business needs bank details from a vendor, contractor, or counterparty: 1. Requester (signed in) enters the counterparty's name + email + optional reason. 2. Counterparty receives a guided flow: identity verification (Persona + OTP), bank connection (Plaid or manual + micro-deposits), then submission. 3. Requester receives the verified details in their inbox in the COFFR app, with the same Hedera anchor. Every state change — created, sent, viewed, completed, expired, revoked — writes an `audit_events` row and a corresponding Hedera anchor. Both parties can export a signed PDF receipt for compliance review. ## Security posture - **Identity verification**: Persona Inquiry API (KYC, government ID + selfie liveness), Twilio Verify (SMS OTP), optional Telnyx voice biometric for transfers above a tenant-configured threshold. - **Fraud scoring**: Fingerprint device intelligence on every action — bot detection, VPN/Tor detection, device-history risk. - **Bank verification**: Plaid Auth + Identity for instant ownership verification, or two-deposit micro-deposit verification as fallback. - **Encryption**: TLS 1.3 in transit; AES-256-GCM at rest in Postgres with pgcrypto for the account-number column; tenant-scoped Row Level Security on every public table. - **Audit trail**: Every mutation produces an `audit_events` row, hashed in batches, and the batch root is written to Hedera Consensus Service. Receipts include the Hedera transaction ID, timestamp, and a Merkle proof. - **Access controls**: SSO (SAML + OIDC) on Corporate and Enterprise plans, role-based access (`super_admin`, `business_admin`, `business_user`, `personal`), session binding to device fingerprint with idle timeout. - **Compliance**: SOC 2 Type II in progress (auditor engaged 2026); GDPR data-subject request flow; CCPA compliant; data residency in U.S.-East AWS (via Supabase) with point-in-time recovery and offsite backups. ## Pricing (summary) Four plans. Visit `/pricing` for the live, authoritative breakdown. The MCP server's `get_pricing` tool returns the same data programmatically. - **Personal — free.** Individuals sharing personal bank details with up to 3 verified contacts per month. KYC included. No SSO, no audit exports. - **SMB — $29 per seat per month** (billed annually) or $39 month-to-month. Up to 25 seats, 100 verifications per month included, $0.50 per overage. Includes audit-event export, contact directory, request flow. - **Corporate — $79 per seat per month.** Unlimited seats, 1,000 verifications per month included, $0.30 per overage. Adds SSO (SAML + OIDC), API access, dedicated success manager, custom retention policy. - **Enterprise — custom pricing.** Volume commit, on-prem identity provider, dedicated tenant, custom DPA, named SLA, 24/7 support, audit log streaming to customer SIEM. Contact `/enterprise`. All paid plans include a 14-day free trial. Annual billing is 25% off the monthly rate. No usage minimums on Personal; SMB and above have a verification floor billed monthly. ## Use cases - **Accounts payable** — onboard new vendors with verified bank details, replacing emailed W-9s and voided checks. - **Real-estate closings** — title companies and escrow agents verify wiring instructions with the seller before disbursement, materially reducing wire-fraud risk. - **Legal trust accounts** — law firms exchange IOLTA details with counterparties under a verifiable audit trail. - **Payroll setup** — new hires submit direct-deposit details through a flow employers can audit. - **Contractor onboarding** — agencies collect bank details from freelancers in one verified step instead of email PDF round-trips. - **M&A diligence** — disclosure of bank-account schedules to acquirers under an audit-grade receipt. ## Integrations Plaid (bank verification), Stripe (billing), Persona (KYC), Twilio (SMS OTP), Telnyx (voice biometric), Fingerprint (device intelligence), Hedera (audit anchor), Resend (transactional email), Supabase (infra). SSO via SAML 2.0 and OIDC on Corporate and Enterprise. REST API and webhooks on Corporate and Enterprise. ## Common comparisons - **vs email/PDF**: COFFR adds identity verification on both ends, single-use links, expiry, revocation, and a tamper-evident audit trail. Email PDFs have none of these; they are the primary BEC vector. - **vs Plaid alone**: Plaid verifies ownership of an account from the connecting user's perspective. COFFR uses Plaid plus identity verification, plus a structured exchange flow with audit. Plaid is a building block; COFFR is the end-to-end workflow. - **vs wire transfers**: COFFR does not move money. It moves the *details* used to set up future ACH or wire transfers, and it does so with verification and audit so the resulting payment is sent to the right account. - **vs Ramp / Mercury / bank vendor portals**: Those portals work only inside their ecosystem and only for vendors paid through that platform. COFFR is bank- and platform-agnostic — usable by both parties regardless of who their bank or AP system is. ## Frequently asked questions **Is COFFR a bank?** No. COFFR is a software platform. It does not hold funds, originate payments, or act as a money transmitter. **Do you charge per verification?** Yes, above the monthly included quota. See pricing above; current overage rates are $0.50 (SMB) and $0.30 (Corporate) per verification. **Can I cancel anytime?** Yes. Monthly plans cancel at the end of the current period. Annual plans are non-refundable but renew with 30 days notice; cancel to stop renewal. **Is data shared with third parties?** Only the subprocessors listed under Integrations, each contractually bound to a DPA. We do not sell data and do not use customer data to train models. **How long is data retained?** Default 7 years for audit-event records (matching common financial-record retention requirements). Bank details are encrypted at rest and purged from active storage on revocation or expiry; the audit hash remains. **Is there an API?** Yes, on Corporate and Enterprise. See `/openapi.json` for the public read-only surface; the authenticated write surface is documented for customers. **Do you support international banks?** U.S. banks today (routing + account). UK (sort code + account) is in private beta. EU SEPA (IBAN + BIC) is on the roadmap. **Where is data hosted?** AWS U.S.-East via Supabase. Enterprise customers can request a dedicated tenant in a specified region. --- For machine-readable equivalents, see `/openapi.json`, `/.well-known/mcp.json`, `/.well-known/ai-plugin.json`, and `/sitemap.xml`.