Built for institutions that can’t afford a leak.

Architecture posture

• Single-tenant deployment available for institutions over $5B in assets — dedicated VPC, dedicated KMS keys.
• Customer-managed encryption keys (BYOK) for loan-tape and deposit-data ingestion.
• No model training on customer data, ever. Inference-only. Documented in MSA.
• Regional data residency — US data stays in us-east; EU pilots stay in eu-central.

Compliance roadmap

• SOC 2 Type I — in audit, target Q3 2026.
• SOC 2 Type II — observation period through Q1 2027.
• FedRAMP Moderate — targeted post-Series A, gates federal credit-union mandate.
• ISO 27001 — on roadmap for European expansion.

How we handle examination data

Examination output is regulatory work product. We treat it accordingly: encrypted at rest with envelope encryption, encrypted in transit with TLS 1.3, RBAC keyed to your bank’s identity provider (Okta, Entra, Google), every read logged with immutable audit trail, retention controlled by you.

What we do not do

• We do not share customer data across customers.
• We do not embed customer data in model weights.
• We do not retain prompts or outputs longer than your retention policy specifies.
• We do not have access to production customer data outside of incident response, gated by 4-eye approval.