Designed against the frameworks your procurement team already recognises — SOC 2, ISO 27001, GDPR. Defence-in-depth controls across data, identity, network and application. Audit trails designed to answer questions before they’re asked. Our compliance posture summary and trust pack are available under NDA.
Designed against established control frameworks — readiness work is in progress, and the current posture is documented in the trust pack we share under NDA.
The platform’s controls have been built against the SOC 2 Trust Services Criteria (security, availability, confidentiality, processing integrity). Independent audit is being scoped — the current readiness posture is shared under NDA.
Our information security management system is being designed to the ISO 27001 control set across engineering, operations, vendor management and the personnel processes around them. Certification work is on the roadmap.
Region-pinned data residency, processor agreements, sub-processor disclosure and data-subject request workflows aligned with UK DPA 2018 and GDPR Article 28. Our DPA template is shared with prospective customers; bespoke variants are scoped during contracting.
No single control is load-bearing. Each plane is designed to assume the others may fail.
TLS 1.3 in transit. AES-256-GCM at rest. Keys held in HSM-backed key management with scheduled rotation. Secrets handled through a dedicated secrets manager — never in environment variables, never in source.
SSO via SAML 2.0 or OIDC against the customer’s IdP. SCIM 2.0 user provisioning. Role-based access mapped to specific Micro AIs — not blanket admin. Every privileged action is logged and attributable.
Service-to-service mTLS through a managed service mesh. No public database endpoints. Egress filtered, VPC-peered for customer integrations where applicable. Zero-trust posture — no implicit network authorisation.
Secure SDLC with mandatory code review, SAST + dependency scanning in CI, and third-party penetration testing scoped on a regular cadence. CVE response handled through a documented severity matrix.
Region residency is enforced where the data lives, not just where the application runs. The same application code runs in every region with no fork.
Standard DPA template aligned with UK DPA 2018, GDPR Article 28, and equivalent regional frameworks. Sub-processor list is maintained and disclosed with material change notice.
For customers whose regulator or internal policy requires it, single-tenant deployments are available in qualifying regions — with the same control posture as multi-tenant.
In-region failover handled by the platform with no manual intervention. Cross-region failover paths exercised on a regular cadence as part of disaster recovery rehearsal.
Point-in-time recovery on primary datastores. Backups encrypted with their own KMS keys, retained per the customer’s policy and the relevant regulatory minimum — whichever is longer.
Documented runbook, severity matrix, named on-call rota. Customer notification commitments are defined in the contract; the post-incident review is shared in writing.
The same audit primitives that make every Micro AI decision explainable also make security and access events queryable. Designed to answer regulator questions before they’re asked.
Every decision, every privileged action, every authentication event written to an append-only event log. Signed, timestamped, indexed for query.
Each Micro AI decision carries the model version, the input fingerprint, the confidence score and the plain-language rationale. Replay any historical decision through the API.
Audit and security events stream to your SIEM of choice (Splunk, Datadog, Elastic, OpenSearch) via OTLP or JSONL. Same data, your tooling.
Available under NDA. Most procurement teams resolve in one round.
Current readiness state against SOC 2 and ISO 27001, scope statement, and the cadence of independent assessment as it’s scheduled.
Mapping from our control set to the customer’s framework (NIST CSF, CIS 18, ISO 27002). Useful for pre-procurement gap analysis.
Reference architecture document, data flow diagrams per Micro AI, and the regional deployment topology relevant to the customer’s jurisdictions.
DPA template, sub-processor list, business continuity / DR plan summary, and the standard SaaS MSA. Bespoke clauses are scoped during contracting.
If you believe you’ve found a security issue, please email security@360fintech.ai with reproduction steps. We acknowledge receipt within one working day and follow up with a timeline. Coordinated disclosure is the norm; credit is given where the researcher prefers it.
Most security reviews close in a single exchange. Tell us what your team needs to see — we’ll send the right artefacts under NDA.
