Encryption

Hosting

GDPR Compliant

Data Retention

Security & Compliance

Your financial documents are sensitive. We treat them that way: encrypted on arrival, processed in isolation, deleted when you choose.

Chain of custody

Your document’s lifecycle

Every file follows the same path. Click each stage to see the technical details.

AES-256Encrypted on arrival

The moment your file hits our servers, it’s encrypted with AES-256 before touching disk. The upload connection is secured with TLS 1.3. Your document is never transmitted in plaintext.

Transport

TLS 1.3

At-rest

AES-256-GCM

Region

US-East-1

Access

Your account only

Documents never leave US infrastructure. No employee can view them without your explicit permission. Delete at any time.

Security posture

Built for financial services

Four foundations. Ten controls. Encryption, AI governance, Compliance, and Operational Resilience.

Algorithm

AES-256-GCM

Transit

TLS 1.3

Key mgmt

AWS KMS

Rotation

Automatic

Documents are encrypted on arrival and stay encrypted at rest. Key management runs through AWS KMS with automatic rotation. No employee can access raw encryption keys.

Provider

AWS

Region

US-East-1

Residency

US only

AWS certs

SOC 2, ISO 27001

All compute, storage, and networking run in AWS US-East-1. Documents are never transferred outside US jurisdiction, including backups. The underlying AWS infrastructure carries SOC 2 and ISO 27001 certifications.

Default

No access

Model

Explicit, time-limited

Logging

All attempts

Support

Written approval

No Associate AI employee has standing access to your documents. Support access, if ever needed, requires your written approval. It is scoped to a specific document and time window, and every event is logged to an immutable audit trail.

Training

Never

Providers

Anthropic, OpenAI

Contracts

Zero retention

Prompts

Structured only

We do not train on customer documents. Anthropic and OpenAI operate under enterprise agreements with zero-data-retention clauses. Documents are sent as structured prompts, never as raw file uploads.

Containers

Ephemeral

Tenancy

Single

Storage

Isolated

Network

Segregated

Each analysis runs in an ephemeral container created for your document alone and destroyed when the job completes. No shared storage or network paths between customer environments. This matters for firms handling competing deal flow.

Phase

Fieldwork

Target

Q3 2026

Scope

Sec, Avail, Confid

Firm

Independent CPA

We are in active audit fieldwork for SOC 2 Type II. This is a sustained observation period, not a point-in-time snapshot. The report will be available under NDA on completion.

GDPR

Compliant

CCPA

Compliant

DPA

On request

Subject rights

Access, delete, port

Documented lawful basis for all processing. Full data subject rights support. Standard DPA covers GDPR, CCPA, and applicable financial services frameworks. Turnaround on DPA requests is 1 to 2 business days.

Events

Access, share, delete

Format

Append-only

Retention

Persists after doc deletion

Export

On request

Every access, share, deletion, and admin action is written to an immutable, append-only log. Logs are retained independently of document deletion, so your compliance team can review access history after a document has been removed.

Frequency

Annual + ad hoc

Scope

External + app

Firm

Independent

Summary

Under NDA

An independent firm conducts annual penetration tests across external infrastructure and the application layer. Critical findings are remediated within 48 hours, high-severity within 7 days. Test summaries are available under NDA.

Uptime

99.9% target

Backups

Daily, encrypted

RTO

< 4 hours

RPO

< 1 hour

Automated failover across availability zones. Daily encrypted backups. RTO under 4 hours, RPO under 1 hour. The DR plan is documented and tested quarterly.

Your security questions answered

No. Associate AI does not train on your data. Uploaded materials are ring-fenced to your account and accessible only to collaborators you invite. Our third party LLM providers operate under zero-data-retention agreements.

We use a variety of models, any third party models fall under enterprise agreements with zero-data-retention clauses. No provider stores, logs, or trains on data sent through our API. We send structured prompts, not raw files.

Nobody. No Associate AI employee has standing access. If support access is ever needed, it requires your written approval, is scoped to a specific document and time window, and is logged to an immutable audit trail.

They stay in your encrypted workspace indefinitely. Nothing expires. When you delete, the document and all associated data are permanently purged using cryptographic erasure.

AWS US-East-1 (Northern Virginia). That covers primary storage, backups, and all processing infrastructure. Nothing leaves US jurisdiction.

Yes. We regularly complete SIG, CAIQ, and custom vendor assessment forms. Typical turnaround is 3 to 5 business days. Supporting documentation is available, including our SOC 2 readiness report and infrastructure overview.

Yes. Our standard DPA covers GDPR, CCPA, and applicable data protection regulations. Available on request. Turnaround is 1 to 2 business days.

Incident response follows NIST guidelines. Affected customers are notified within 72 hours. We produce a detailed impact assessment, engage third-party forensics, and provide updates through resolution. Encryption at rest and cryptographic erasure limit the blast radius.

Contact support@associateai.com or schedule a call with our engineering team.

Bring our highly trained financial Associate into your workflow.

Get Started Today

Bring our highly trained financial Associate into your workflow.

Get Started Today

Bring our highly trained financial Associate into your workflow.

Get Started Today