Frequently Asked Questions
These are the questions we hear most often. If your concern isn't here, contact us.
Business & Positioning
"Why not blockchain?"
Blockchain adds latency, cost, and complexity without solving the core problem. Escrow disputes are about subjective human agreements, not cryptographic verification. A smart contract can't determine if a design mockup meets spec.
We provide deterministic, auditable decisions. That's what you need. Not proof-of-work.
"Are you a payment processor?"
No. We're a payment-informed orchestration engine. You hold funds in your payment provider (Stripe, Adyen, etc.). We track state and produce decisions. You execute payouts.
Think: state machine + decision engine, not payment gateway.
"Can you host our files/documents?"
No. We store references only: URI + content hash. You host files wherever you want (S3, Google Drive, your own servers). We verify integrity via hash, never download content.
"Do you have a dashboard?"
No. This is an API-first engine. If you need a dashboard, you build it on top of our API. We're infrastructure, not SaaS.
Technical
"Can we override engine decisions?"
Yes, within limits. Operators can adjust the suggested ratio by ±30%. Larger deviations require justification and are audit-logged. This protects against both rubber-stamping and arbitrary overrides.
"What happens if you go down?"
Your escrows continue in their current state. No automatic transitions occur. When we're back, you resume where you left off. State is persistent and recoverable.
For SLA guarantees, see your service agreement.
"How do I replay a decision for audit?"
Every decision is deterministic. Call GET /disputes/:id/recommendation with the same
inputs stored in the audit log. You'll get the same output. Always.
"Do you support multi-currency?"
Yes. Currency is stored as an ISO 4217 code. Amounts are in minor units (cents). We don't do currency conversion — that's your payment provider's job.
Security
"Why HMAC instead of OAuth/JWT?"
HMAC with nonces provides replay protection at the protocol level. No token refresh flows. No session management. Every request is independently verifiable. This is how payment APIs work (Stripe, Adyen, etc.).
"How do you handle PII?"
We store opaque actor IDs, not names, emails, or personal data. Your users
remain yours. We see usr_abc123, not "John Smith". Map IDs in your system.
"Is data encrypted?"
Yes. TLS 1.3 in transit, AES-256 at rest. All API traffic is HTTPS-only. No exceptions.
Legal & Liability
"Who's liable for wrong decisions?"
We provide recommendations. You apply decisions. Liability caps are defined in your service agreement. Generally: we're liable for system failures within stated SLA, not for business outcomes of decisions you approve.
"Do you hold funds in escrow?"
No. We never custody funds. "Escrow" in our context means lifecycle orchestration, not fund custody. You hold funds in your payment system.
"Can decisions be used in legal proceedings?"
Our audit log provides a forensic-grade trail of all events, inputs, and decisions. Whether that's admissible in your jurisdiction is a question for your legal team, not us.
Integration
"Do you have SDKs?"
Not yet. SDKs are planned for a future release. For now, use direct HTTP with HMAC signing. The API is simple enough that most integrations are >100 lines of code.
"What's the rate limit?"
Standard tier: 100 req/min. Pro: 1,000 req/min. Enterprise: custom. Rate limit headers are in every response.
"Do you support webhooks?"
Yes. All state transitions trigger HMAC-signed webhooks. Retry policy: exponential backoff up to 5 attempts. Dead-lettered after that.