Trust Centre

Security, privacy and compliance built for financial services

SOFI is purpose-built for regulated financial advice. We understand your client conversations contain highly sensitive data – and that's exactly why we've made trust a foundational part of what we build.

ISO 27001:2022 Certified
Cyber Essentials Plus
UK GDPR Compliant
FCA Authorised · No ICO Breaches
B Corporation Certified
Primary data residency
Azure UK South (United Kingdom) – all primary client data stored within the UK
Encryption at rest
AES-256 via Azure SSE and MongoDB. Keys managed through Azure Key Vaults with regular rotation.
Encryption in transit
TLS 1.2 and TLS 1.3 enforced across all data transfers
Retention policy
7-year retention aligned to regulatory requirements. Configurable at firm level. Encrypted backups.
Data & Privacy

You stay in control of your client data

SOFI processes audio/video recordings, transcripts, and structured meeting data on your behalf. All primary data is stored within Azure UK South with no on-premises servers.

SOFI only records meetings it has been explicitly invited to and advisers are in full control of which meetings SOFI attends. All AI-generated outputs are reviewed and approved by the adviser before external use.

When your contract ends, SOFI provides a formal data return, destruction process, or export in an agreed format or secure deletion from all SOFI systems following confirmed export, within agreed timelines.

SOFI's public-facing Privacy Notice is available in our Privacy Notice.

Security Controls

Uncompromising security practices

Security is embedded across every layer of our infrastructure, development process, and access management.

Multi-Factor Authentication

MFA enforced across all critical systems. Administrative and privileged access requires minimum two factors. Microsoft Authenticator used internally; customer-facing portal supports MFA and SSO.

Single Sign-On (SAML 2.0)

SSO federation via SAML 2.0, compatible with Azure Active Directory and other SAML-compatible identity providers. OAuth2 authentication is standard.

Role-Based Access Control

Access is governed by a role-based permissions model. There are two licence types – Adviser and Support – and the permissions attached to each are fully customisable. Access scoped at folder level – private, shared, or team-wide. Principle of least privilege enforced.

Network Edge Protection (Azure Front Door)

All deployed components sit behind Azure Front Door, providing a Web Application Firewall (OWASP rule set) and platform-level DDoS protection at the network edge, with TLS termination and global load balancing.

Annual Penetration Testing

External penetration testing conducted annually by independent third party. Most recent test: 2026. Covers externally facing networks and applications. Zero critical or high findings in latest evaluation.

Vulnerability Management

Annual vulnerability scans across infrastructure, applications, and network. Critical patches deployed within 3 days. Threat intelligence from NVD, vendor alerts, and US-CERT. Daily anti-virus updates.

CI/CD & Secure Development

All deployments via Azure DevOps CI/CD pipeline – no out-of-band changes. Mandatory pull request code reviews. Static analysis and OWASP Top 10 for LLMs assessments on every release.

Audit Logging

Comprehensive audit logs covering account access, system changes, privileged activity, failed logins, and incident recording. Logs retained for at least 1 year, tamper-protected, consolidated in a SIEM.

Endpoint & Employee Security

All employees undergo thorough background checks and sign confidentiality agreements. Laptops protected via MDM with hard drive encryption and anti-malware. Microsoft Defender deployed across endpoints.

Multi-Tenancy & Isolation

By default, logical multi-tenancy with client data sharded – no cross-organisation access. Physical segregation available for clients requiring full isolation, scoped during implementation.

Cloud-Native Infrastructure

100% cloud-native on Microsoft Azure. No on-premises servers. Auto-scaling with Azure-managed infrastructure. Azure-native monitoring, Microsoft Defender for Cloud, and SIEM for security event management.

Business Continuity & DR

Documented BCP reviewed under ISO27001. RTO: within 24 hours. RPO: per backup frequency. Azure-based DR with cloud-native redundancy and failover. Tabletop exercises and cyberattack recovery drills.

Uptime & SLA

99% Monthly Availability SLA. Initial outage response within 1 hour; critical resolution within 24 hours. Customer notification within 30 minutes of outage, with hourly updates until resolved.

AI Governance

Responsible AI – built for regulated advice

SOFI's AI is designed with human oversight at its core. Your client transcripts are never used to train AI models.

No training on client transcripts

SOFI explicitly prohibits the use of client transcripts for training or fine-tuning any AI models. Third-party models are accessed under contractual controls that prohibit use of SOFI client transcripts for model training. SOFI uses only synthetic training data.

Human-in-the-loop

All AI-generated outputs – summaries, extracted data, action items, generated documents – are reviewed, edited, and approved by the adviser before any external use. No outputs are actioned or shared automatically.

Data obfuscation before external models

Before any prompt is sent to an external language model, sensitive data is obfuscated – the names of individuals and other identifying details are masked. External providers process de-identified content, never raw client identities.

Agentic architecture

SOFI Codex™ uses a multi-agent framework for structured analysis, extraction, and self-validation. SOFI Chat is built on agentic architecture to query across multiple data sources with full audit trails.

Frequently Asked Questions

Common security & compliance questions

Everything you need to know before evaluating SOFI for your organisation.

No. SOFI explicitly prohibits the use of client transcripts for training or fine-tuning any AI models. This applies to SOFI's own models and to all third-party AI providers (AssemblyAI, Azure OpenAI, Anthropic). All providers are governed by contractual controls explicitly prohibiting use of SOFI client transcripts for model training. SOFI uses only synthetic training data.
All primary client data is stored within Azure UK South (United Kingdom). Processing by third-party AI services may involve Western Europe (AssemblyAI) or the Azure ecosystem. PII is obfuscated before transmission to any external processor. Clients can specify their preferred processing region. Standard Contractual Clauses and Transfer Impact Assessments cover any transfers outside the UK/EEA.
Mallowstreet holds: ISO 27001:2022 (certified by the British Assessment Bureau, renewed 2026) and Cyber Essentials Plus (renewed 2026). Annual external audits are conducted as part of ISMS governance. The most recent penetration test (Evalian, 2026) identified zero critical or high findings.
Upon contract termination, SOFI provides: formal notification and agreement of a data return or destruction timeline; data export in an agreed format via the SOFI API or secure file transfer; and secure deletion of all client data from SOFI systems following confirmed export or at end of the agreed retention period. All processes are documented and auditable.
Yes to all three. MFA is enforced across all critical systems. SOFI supports SSO via SAML 2.0, compatible with Azure Active Directory and other SAML-compatible identity providers. OAuth2 is the standard authentication mechanism. RBAC allows access to be scoped at folder level – private, shared, or team-wide – with admin permissions assignable to either licence type.
No. By default, SOFI uses logical multi-tenancy – client data is sharded and no organisation can access another's data. For clients requiring physical segregation, full data isolation is available and can be scoped during implementation. Within Mallowstreet, internal access to customer data requires explicit security approval and is role-based, logged, and reviewed.
SOFI commits to a 99% Monthly Availability SLA. For critical incidents, the initial response is within 1 hour with a resolution target of within 24 hours. Customers are notified within 30 minutes of an outage being identified, with hourly updates until resolution. A 24×7×365 incident response capability is available for critical security and service events.
Minor updates are released out of hours on a scheduled basis with no disruption to users. Major changes are communicated in advance and released behind feature flag controls, enabling per-client rollout. Clients receive detailed release notes with each update. All deployments go through the Azure DevOps CI/CD pipeline – no out-of-band changes are permitted.
No. Mallowstreet Limited has not notified the ICO of any personal data breaches in the past three years. There have been no material interactions with the ICO beyond routine registration maintenance.
SOFI supports: REST API (Open API, documented at docs.sofiai.com); webhooks for real-time job completion notifications; file-based audio/video upload; and native integrations with SharePoint, MoveIT, Salesforce, and other systems. The same API interface is used for both external integrations and internal platform workflows. API documentation and stability commitments are available for enterprise clients.

Ready to evaluate SOFI for your organisation?

Speak to our team to discuss your security requirements, request documentation, or schedule a technical review.

Request a Demo