Security & Compliance

WealthAi is built for regulated financial services. Security, data protection, and compliance are foundational - not afterthoughts.

Certifications & Standards

ISO 27001 & SOC 2

Sprinto engagement signed (April 2026) covering ISO 27001 and SOC 2 Type II certification. 3-year programme with continuous compliance monitoring. Controls mapped to Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.

GDPR

GDPR compliance managed through Sprinto's privacy framework alongside SOC 2 and ISO 27001. Data processing agreements in place. Data subject rights workflows implemented. Privacy impact assessments conducted for all data processing activities.

FCA / MiFID II / MAR

Platform designed to help clients meet FCA, MiFID II, and MAR regulatory requirements. Compliance Agent provides automated surveillance and reporting aligned with regulatory expectations.

Swiss Regulatory

Architecture supports Swiss data residency requirements. FINMA-aligned data handling practices. Multi-region deployment capability ensures data stays in-jurisdiction.

Infrastructure

WealthAi runs on Microsoft Azure, providing enterprise-grade infrastructure with global reach and financial services compliance.

Microsoft Azure

Hosted on Microsoft Azure with financial services compliance certifications. Multi-region deployment for data residency. Azure's built-in DDoS protection, network security groups, and WAF.

Multi-Tenant Architecture

Secure multi-tenant design with strict data isolation between clients. Each tenant's data is logically separated with access controls enforced at every layer.

High Availability

Designed for high availability with redundancy across availability zones. Automated failover and disaster recovery. Continuous monitoring and alerting.

Safe Deployment

Blue-green deployments with rollback capabilities. Automated testing gates. Zero-downtime releases. Infrastructure as code for reproducibility.

Data Security

Encryption at Rest

All data encrypted at rest using AES-256 encryption. Encryption keys managed through Azure Key Vault with automatic rotation.

Encryption in Transit

All data encrypted in transit using TLS 1.2+. Certificate management automated. No unencrypted endpoints.

Access Control

Role-based access control (RBAC) at platform and data level. Principle of least privilege enforced. Multi-factor authentication required.

AI Governance

AI in regulated financial services requires special governance. WealthAi has built controls specifically for responsible AI use in wealth management.

Multi-Model Strategy

No single-vendor AI dependency. Routes across Gemini, OpenAI, and Anthropic models, selecting the best model per task. Reduces concentration risk and enables model-level failover.

No Training on Client Data

Client data is never used to train or fine-tune AI models. All AI interactions use enterprise API agreements with strict data handling provisions. Client data stays client data.

Immutable Audit Trails

Every AI decision, recommendation, and action is logged with full context. Audit trails are immutable and tamper-evident. Regulatory reviewers can trace any AI output back to its inputs.

Human-in-the-Loop

Critical decisions always require human approval. AI assists and recommends - it doesn't act unilaterally on compliance alerts, trade decisions, or client communications.

Explainability

AI outputs include source citations and reasoning chains. Advisors and compliance officers can see why the AI reached its conclusion, not just the answer.

Guardrails & Validation

Output validation layers check AI responses for accuracy, appropriateness, and regulatory alignment. Hallucination detection. Content filtering for financial advice boundaries.

Data Handling & Privacy

Data Residency

Multi-region Azure deployment ensures client data stays within required jurisdictions. UK data in UK regions. Swiss data in Swiss/EU regions. Configurable per client.

Data Processing Agreements

Standard DPAs in place for all client relationships. Clear data controller/processor boundaries. Sub-processor management with notification obligations.

Data Retention

Configurable retention policies aligned with regulatory requirements. Automated data lifecycle management. Secure deletion when retention periods expire.

Third-Party Data

All marketplace partners and data providers vetted for security and compliance. API Hub enforces governed access with rate limiting, quota management, and audit logging.

Operational Security

Monitoring & Alerting

24/7 monitoring of infrastructure, application, and security events. Automated alerting for anomalies. Incident response procedures documented and tested.

Vulnerability Management

Regular vulnerability scanning and patching. Dependency monitoring for known CVEs. Penetration testing conducted periodically by third parties.

Employee Security

Background checks for all employees handling client data. Security awareness training. Principle of least privilege for internal access. MFA enforced on all systems.