A modern, edge-native, compliance-first platform for community-anchored interest-free lending. Built by Fotoh, Inc. Used in production by qardon.org.
Non-confidential summary of platform functions. Implementation details and IP remain proprietary.
Three-path application intake (auto, conversational, self-service), automated underwriting on behavior and capacity-to-repay, audit-logged human review for edge cases, FCRA-style adverse-action notices when applications are declined.
Each contribution is tracked as a perpetually-revolving entry. Donors see how many cycles their contribution has completed and how many beneficiaries it has served — never identifying details.
Stripe Connect for USD ACH/card. USDC smart contracts for crypto-native flows. Multi-currency routing. Idempotency keys. Webhook-driven state machines.
OFAC sanctions screening, BSA/AML transaction monitoring, KYC identity verification, ECOA non-discrimination audit trail, FCRA-compliant adverse-action workflow, GDPR + CCPA subject-rights tooling.
Treasury views, application queues, repayment forecasts, fraud-pattern alerts, Form 990 export, audit packs for regulators and external auditors.
Multi-tenant architecture lets a single deployment host multiple operating nonprofits with isolated data, branded surfaces, and per-tenant policy.
Sub-second response anywhere on Earth. No origin server. No scaling cliff. No idle capacity.
Cloudflare Workers — V8 isolates on 300+ edges. P50 latency under 50ms. Zero cold-start tax above a baseline. Cost-aware by design.
D1 for SQL (members, contributions, applications, ledger). R2 for object storage (claim documents, audit packs). KV for low-latency reads. Vectorize for RAG retrieval.
Workers AI hosts the LLaMA model used for conversational application intake and RAG-grounded answers. Inference runs at the same edge that serves the request.
Stripe Connect for fiat (ACH, card, payouts, tax forms). USDC smart contracts for crypto-native flows. Per-tenant Stripe accounts; operator-controlled custody.
Workers Analytics Engine for application-level metrics. Logpush to operator-owned storage. D1 audit_log table for every state transition.
TLS 1.3 only. Strict CSP. Origin keys never exposed to the client. Mutual TLS available for B2B partner integrations. Webhook signature verification end-to-end.
The platform is built to pass audit. Critical signal for institutional partners, regulators, and acquirers.
Document + selfie liveness, address verification, government-ID validation. Vendor-pluggable per tenant.
Transaction monitoring rules, SAR-ready audit trail, currency transaction report (CTR) workflows.
SDN + non-SDN list checks at member onboarding and at every payment leg. Match-disposition workflow.
Application decisioning explicitly excludes protected-class signals. Audit-logged decision trees. Fair-lending review tooling.
Adverse-action notices generated automatically on decline. Consumer dispute workflow. Permissible-purpose enforcement on bureau queries.
Subject-access, deletion, portability, and consent workflows. Data residency controls per tenant. DPA-ready.
Pursuing SOC 2 Type 2 attestation. Controls inventory mapped to AICPA Trust Services Criteria.
For operator nonprofits with related-party transactions: export-ready Schedule R disclosures, board-meeting packs, and external-audit support.
Three doors: developer waitlist, partnership inquiry, or a direct conversation with the team.