SOFI is purpose-built for regulated financial advice. We understand your client conversations contain highly sensitive data – and that's exactly why we've made trust a foundational part of what we build.
SOFI processes audio/video recordings, transcripts, and structured meeting data on your behalf. All primary data is stored within Azure UK South with no on-premises servers.
SOFI only records meetings it has been explicitly invited to and advisers are in full control of which meetings SOFI attends. All AI-generated outputs are reviewed and approved by the adviser before external use.
When your contract ends, SOFI provides a formal data return, destruction process, or export in an agreed format or secure deletion from all SOFI systems following confirmed export, within agreed timelines.
SOFI's public-facing Privacy Notice is available in our Privacy Notice.
Security is embedded across every layer of our infrastructure, development process, and access management.
MFA enforced across all critical systems. Administrative and privileged access requires minimum two factors. Microsoft Authenticator used internally; customer-facing portal supports MFA and SSO.
SSO federation via SAML 2.0, compatible with Azure Active Directory and other SAML-compatible identity providers. OAuth2 authentication is standard.
Access is governed by a role-based permissions model. There are two licence types – Adviser and Support – and the permissions attached to each are fully customisable. Access scoped at folder level – private, shared, or team-wide. Principle of least privilege enforced.
All deployed components sit behind Azure Front Door, providing a Web Application Firewall (OWASP rule set) and platform-level DDoS protection at the network edge, with TLS termination and global load balancing.
External penetration testing conducted annually by independent third party. Most recent test: 2026. Covers externally facing networks and applications. Zero critical or high findings in latest evaluation.
Annual vulnerability scans across infrastructure, applications, and network. Critical patches deployed within 3 days. Threat intelligence from NVD, vendor alerts, and US-CERT. Daily anti-virus updates.
All deployments via Azure DevOps CI/CD pipeline – no out-of-band changes. Mandatory pull request code reviews. Static analysis and OWASP Top 10 for LLMs assessments on every release.
Comprehensive audit logs covering account access, system changes, privileged activity, failed logins, and incident recording. Logs retained for at least 1 year, tamper-protected, consolidated in a SIEM.
All employees undergo thorough background checks and sign confidentiality agreements. Laptops protected via MDM with hard drive encryption and anti-malware. Microsoft Defender deployed across endpoints.
By default, logical multi-tenancy with client data sharded – no cross-organisation access. Physical segregation available for clients requiring full isolation, scoped during implementation.
100% cloud-native on Microsoft Azure. No on-premises servers. Auto-scaling with Azure-managed infrastructure. Azure-native monitoring, Microsoft Defender for Cloud, and SIEM for security event management.
Documented BCP reviewed under ISO27001. RTO: within 24 hours. RPO: per backup frequency. Azure-based DR with cloud-native redundancy and failover. Tabletop exercises and cyberattack recovery drills.
99% Monthly Availability SLA. Initial outage response within 1 hour; critical resolution within 24 hours. Customer notification within 30 minutes of outage, with hourly updates until resolved.
SOFI's AI is designed with human oversight at its core. Your client transcripts are never used to train AI models.
SOFI explicitly prohibits the use of client transcripts for training or fine-tuning any AI models. Third-party models are accessed under contractual controls that prohibit use of SOFI client transcripts for model training. SOFI uses only synthetic training data.
All AI-generated outputs – summaries, extracted data, action items, generated documents – are reviewed, edited, and approved by the adviser before any external use. No outputs are actioned or shared automatically.
Before any prompt is sent to an external language model, sensitive data is obfuscated – the names of individuals and other identifying details are masked. External providers process de-identified content, never raw client identities.
SOFI Codex™ uses a multi-agent framework for structured analysis, extraction, and self-validation. SOFI Chat is built on agentic architecture to query across multiple data sources with full audit trails.
Everything you need to know before evaluating SOFI for your organisation.
Speak to our team to discuss your security requirements, request documentation, or schedule a technical review.
Request a Demo