Security

The Platform consists of three layers that we manage with deliberately narrow scopes:

• Auth / orchestration — managed by us. Holds only what is needed to authenticate users and run the report pipeline: hashed credentials, session tokens, encrypted pointers to your AI and storage providers, run metadata.
• AI inference — your choice. Managed AI (our enterprise account) or BYOK (your own Claude / OpenAI / Gemini account).
• Financial data storage — your choice. Managed mode (our SOC 2-aligned infrastructure with per-tenant isolation) or BYOD (your Google Drive / OneDrive / SharePoint / database).

The two BYO options together mean your financial data can flow end-to-end through infrastructure that you own and control.

• In transit: TLS 1.2+ for all client and inter-service traffic.
• At rest: AES-256 for stored data; envelope encryption with KMS-managed data keys for secrets (API keys, ERP credentials).
• Secrets are decrypted only in memory at request time; ciphertext is never logged.

• Role-based access within the Platform (owner / admin / member).
• SSO / SAML (Enterprise tier, roadmap) for centralised identity and offboarding.
• Production access for our personnel is restricted, least-privilege, and audit-logged.
• Customer support cannot access your financial data without explicit, in-product authorisation.

• All authentication events, settings changes, and BYOK / BYOD connection events are written to an audit log.
• Run metadata (which agent ran when, with what input version, in how many tokens, for how long) is preserved per run for traceability.
• In BYOK mode, your AI provider's native audit dashboard shows every prompt and completion your account processed.
• In BYOD mode, your storage provider's audit logs show every access to your data.

We are actively building toward independent attestation. Current and target states:

• SOC 2 Type II — target attestation date in roadmap. Compensating controls (encryption, access management, audit logging, least-privilege) are operational today.
• ISO 27001 — target certification date in roadmap. Information security management system controls are being formalised.
• GDPR / UK GDPR — we follow the principles (data minimisation, purpose limitation, right to erasure). See the Privacy Policy for details.

Certification dates are commitments based on current planning and may shift. Customers under contract are notified of any material changes.

Default region for managed-mode customers is the region you select during onboarding. BYOD customers control residency entirely through their own storage configuration.

If we detect a security incident affecting customer data, we will notify affected customers without undue delay and provide a written incident report describing what happened, what data was affected, the remediation steps taken, and recommended actions for the customer.

If you believe you have found a security issue, please contact us at /contact. We commit to acknowledging reports within two business days and working in good faith to resolve verified issues. We do not pursue researchers acting in good faith under coordinated disclosure.

We use a short list of vetted sub-processors (AI providers, cloud infrastructure, email delivery, error reporting). On request, customers under contract can receive the current sub-processor list and notification of material changes.

Customers under an active subscription can request a security questionnaire response, current penetration-test summary, or attestation letter via /contact.