Security & Compliance
We prioritize data security and client confidentiality above all else.
SOC 2 Certified
Collation.AI meets international information security standards and is SOC 2 certified. We undergo regular third-party audits to ensure our security controls meet the highest industry standards for protecting sensitive financial data.
Data Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. Your financial data warehouse is hosted on Microsoft Azure with HSTS enforced on all web servers and encryption keys managed via Azure Key Vault.
Access Control
Strict role-based access controls ensure that only authorized personnel can access your data. Multi-factor authentication is required for all system access. We sign NDAs as standard practice before any data integration begins.
Audit-Ready Data
Our Agentic AI Bots ensure all data is audit-ready with complete audit trails, version control, and data lineage tracking. Every data transformation and reconciliation is logged and traceable for compliance and regulatory requirements.
Two-Factor Authentication
Access requires something you know and something you have. This dual-verification process ensures that even if credentials are compromised, your account remains secure.
Continuous Security Compliance
Our automated monitoring systems scan every line of code and system configuration around the clock, ensuring 100% compliance with the most stringent financial security standards.
End-to-End Encrypted Communication
Every piece of data exchanged between our servers and your browser is protected by HTTPS encryption, creating an impenetrable tunnel that shields your information from interception.
Security Certifications
Your Data, Your Control
- You decide where your data warehouse is hosted - your cloud or ours
- No changes required to your existing technology stack
- Complete data ownership and portability
- Transparent data processing with full visibility
- Regular security updates and monitoring
AI Transparency & Data Privacy
You control which AI processes your data. We never train on it.
Customer-Controlled AI
You choose which AI model processes your financial data. Collation.AI is model-agnostic — your data flows only to the AI provider you explicitly configure and approve. No undisclosed third parties.
Locally Hosted Open Source AI
For clients who require zero data exposure to commercial LLMs, we offer locally hosted open source models — including the Qwen3 series — processing your data in a private, isolated environment with no commercial LLM exposure.
Zero AI Training on Client Data
Your financial documents — K-1s, bank statements, custodian statements, tax documents — are never used to train any AI model. No opt-out is required because training on client data simply does not happen.
Microsoft Azure Infrastructure
All data is hosted on Microsoft Azure in US-based data centers. You can choose your preferred Azure region. Private networks, managed identities, and Azure Key Vault ensure your data never leaves your approved environment.
Security Documentation
Full due diligence package available for enterprise procurement and compliance reviews.
SOC 2 Type II Report
Official third-party audit report (Sept '24 – Aug '25) covering security, availability, and confidentiality controls.
Penetration Test Report
Third-party penetration testing results (August 2025) including vulnerability assessments and findings.
Security Incident Response Policy
Documented incident response procedures, escalation workflows, and breach notification protocols.
Encryption & Cryptographic Policy
AES-256 at rest, TLS 1.2+ in transit, key management procedures via Azure Key Vault.
Access Control Policy
Role-based access control model, MFA requirements, and identity management procedures.
Data Protection Agreement
GDPR-compliant DPA template covering data processing, sub-processors, and security measures.
Vendor Due Diligence Response
Comprehensive responses to third-party vendor due diligence requests covering security, compliance, and operations.
AI Vendor Due Diligence Checklist
Due diligence checklist covering AI ethics, model governance, data handling, and security controls.
Security Operations
Continuous monitoring, dedicated response team, and mandatory access controls.
SIEM & Threat Detection
- •Azure Monitor — infrastructure monitoring with real-time alerts
- •Microsoft Defender for Cloud — advanced threat protection and vulnerability scanning
- •CrowdStrike Falcon Pro — endpoint detection and response on all desktops and servers
- •Application Insights — application performance and anomaly monitoring
Access & Authentication
- •MFA mandatory — multi-factor authentication required for all system access
- •Azure Entra ID — SSO, RBAC, and identity management
- •Privileged Access Management — admin access restricted on a need-only basis
- •All privileged actions logged — complete audit trail of admin activity
Incident Response (SIRT)
- •Dedicated SIRT — Security Incident Response Team handles all security events
- •Documented IR Policy — escalation workflows, incident classification, and communication protocols
- •Client breach notification — customers notified promptly of any incident affecting their data
- •Annual pen testing — third-party penetration testing with published results
Data Loss Prevention (DLP)
- •Azure Private Networks — all internal communication isolated within VNets; no unauthorised data egress paths
- •Read-only production access — AI processing uses read-only database connections, preventing data exfiltration at the infrastructure level
- •Microsoft Defender for Cloud — monitors for anomalous data access and exfiltration patterns with automated alerts
- •RBAC enforcement — granular role-based controls ensure data is accessible only to explicitly authorised users and processes
Data Lifecycle & Retention
Clear policies on how your data is handled, retained, and deleted.
During Processing
- •Uploaded documents processed in an isolated, encrypted environment
- •Original raw documents may be deleted after extraction to minimise data footprint
- •Extracted structured data retained in your dedicated data warehouse for reporting
- •All processing steps logged with full audit trail
On Contract Termination
- •All client data deleted or returned upon contract end
- •Data export available on demand — full portability guaranteed
- •Retention only where legally required (e.g. regulatory obligations)
- •Automated daily backups with point-in-time recovery, encrypted at rest
Vibe-Coding: Secure Development Architecture
From development to secure production deployment
🔒 Data Hosting & Privacy Architecture
Enterprise-Grade Security at Every Layer
Standard Setup
- •Vibe-coding applications store data in any Database Tech. (e.g. PostgreSQL)
- •Enterprise-grade backend infrastructure
- •Managed seamlessly alongside deployment
Dev Isolation
- •Separate development environments
- •Isolated Database servers (e.g. PostgreSQL) with dummy data only
- •Zero access to customer data guaranteed
Production Lock
- •We manage deployment & hosting only
- •All customer data stays on secured external servers
- •Military-grade access controls
🛡️ Collation.AI Priority
Customer data sovereignty and security above everything else
No Client Data
is ever shared with a Public LLM
Automatically Moved
Code & UI to your secure Local Environment
Direct Connection
to your Production Database only
⚡ Vibe-Coding Workflow
Secure development pipeline from code to production
Development Environment
Collation.AI's Secure Infrastructure
Ready to Secure Your Data with Collation.AI?
See how our enterprise-grade security protects your wealth management data while enabling powerful AI-driven insights.