New

TrustFlow 2.0 is live — ML pipeline management with zero-downtime model swap. Learn more →

Compliance & Security

Secure by design. Compliant by default.

Trustinera AI is built for regulated financial environments. Every layer — from the data plane to the API surface — is designed to meet the security, privacy, and audit requirements of financial institutions, fintechs, and enterprise compliance teams.

SOC 2 Type II ISO 27001 PCI DSS Level 1 GDPR FCA Ready PSD2 / Open Banking UK DORA Aligned HMRC MTD Certified
99.9% Uptime SLA
AES-256 Encryption at rest
TLS 1.3 In-transit encryption
< 72 hrs Breach notification

Standards & Certifications

Independently audited and certified.

Trustinera AI undergoes independent third-party assessments across all major financial and information security frameworks. Certification reports are available to enterprise customers under NDA.

SOC 2 Type II

Annual third-party audit against the AICPA Trust Services Criteria — covering security, availability, processing integrity, confidentiality, and privacy. Full report available to enterprise customers.

ISO 27001

Certified Information Security Management System (ISMS) — covering risk assessment, asset management, access control, cryptography, incident response, and business continuity.

PCI DSS Level 1

Level 1 Service Provider certification for handling cardholder data. Covers network security, encryption, access control, vulnerability management, and regular penetration testing.

GDPR Compliance

Full UK and EU GDPR compliance — lawful basis documentation, data minimisation, subject access request tooling, right to erasure workflows, and DPA-ready data processing agreements.

FCA Regulatory Readiness

Architecture and controls aligned to FCA operational resilience requirements, Consumer Duty obligations, transaction monitoring requirements, and SMCR record-keeping standards.

PSD2 / Open Banking

Certified Strong Customer Authentication (SCA) support, eIDAS-compatible certificate handling, and verified TPP registration across UK (FCA) and EU (EBA) regulatory regimes.

Security Architecture

Zero-trust. Defence in depth.

Trustinera AI implements a layered security model — every boundary is authenticated, every action is authorised, and every event is logged with immutable audit trails.

Zero-Trust Networking

All internal service-to-service communication uses mutual TLS (mTLS). No implicit trust based on network location. Every request carries a verified identity — enforced at the Kubernetes network policy layer.

RBAC & Attribute-Based Access

Fine-grained Role-Based Access Control enforced at the API gateway, service layer, and PostgreSQL row-level security. Permissions are scoped to module, operation, and data attribute — not just broad roles.

Encryption at Rest

All data at rest is encrypted with AES-256 using customer-managed keys (BYOK) or Trustinera AI managed keys stored in a FIPS 140-2 Level 3 HSM. Key rotation is automated and audited.

Encryption in Transit

TLS 1.3 enforced on all external connections. Internal service mesh uses mTLS with automatic certificate rotation via cert-manager and a private CA. No TLS 1.0 or 1.1 permitted anywhere.

Immutable Audit Logs

Every API call, data access, configuration change, and admin action is written to an append-only audit log using PostgreSQL logical replication with hash-chained entries — tamper-evident by design.

Penetration Testing

Annual third-party penetration tests against the production API, Kubernetes cluster, and web application surfaces. Critical and high findings are remediated within 30 days. Reports available to enterprise customers.

Data & Privacy

Your data stays yours.

Trustinera AI processes financial data on your behalf. We never sell, share, or use your data to train models for other customers. Strict data isolation, residency controls, and privacy-by-design are non-negotiable.

EU / UK / US

Data Residency

Choose where your data is stored and processed. Workloads can be isolated to EU (Frankfurt, Dublin), UK (London), or US (Virginia, Oregon) regions with no cross-border replication unless explicitly enabled.

Tenant-scoped

Data Isolation

Every customer's data is isolated at the schema level within PostgreSQL with row-level security. Shared infrastructure, fully isolated data. No data co-mingling is possible by architecture.

Configurable

Data Retention

Configurable retention periods per data type. Automatic purge workflows with cryptographic proof of deletion for GDPR right-to-erasure requests. Retention audit report available on demand.

< 72 hrs

Subject Access Requests

Automated SAR tooling enables your compliance team to respond to subject access requests within the statutory window. Data export and redaction workflows are built into the platform.

Sentrise — Fraud & AML

AI-powered financial crime prevention.

Sentrise is Trustinera AI's built-in financial crime module — real-time fraud scoring, AML transaction monitoring, watchlist screening, and case management in a single governed workflow.

Sentrise

Real-Time Risk Scoring

Every transaction is scored against 200+ behavioural, velocity, and network signals in under 50 ms. Explainable scores with feature-level breakdowns for every decision.

  • 200+ risk signals
  • Sub-50 ms latency
  • Explainable AI — FATF compliant
  • Configurable risk thresholds

Sentrise

AML Transaction Monitoring

Rule-based and ML-hybrid monitoring for structuring, layering, smurfing, mule accounts, and emerging typologies. Tuned to reduce false positives by up to 70%.

  • Rule + ML hybrid detection
  • SAR generation workflow
  • 70% false positive reduction
  • Chartis Research recognised

Sentrise

Watchlist Screening

Screen counterparties against OFAC, EU, UN, HMT, and custom watchlists in real time. Fuzzy matching, alias detection, and continuous monitoring of existing customers.

  • OFAC, EU, UN, HMT lists
  • Fuzzy name matching
  • Continuous monitoring
  • < 100 ms screening latency

Sentrise

Case Management & SAR

Full investigation workflow — case assignment, evidence attachment, timeline view, decision recording, and SAR report generation compliant with UK NCA and EU FIU requirements.

  • Investigation timeline
  • Evidence attachment
  • SAR / STR report export
  • NCA & FIU compliant

Operational Resilience

Built for continuous availability.

99.9% Uptime SLA

Guaranteed 99.9% monthly uptime with financial service credits for any breach. Active-active deployment across availability zones with automatic failover under 60 seconds.

DORA Alignment

Architecture, incident response, and recovery objectives are aligned to the EU Digital Operational Resilience Act (DORA) ICT risk management framework — covering RTO, RPO, and third-party risk.

Disaster Recovery

RTO of 4 hours and RPO of 1 hour. Automated database backups every 15 minutes with point-in-time recovery. DR runbooks are rehearsed quarterly with results shared with enterprise customers.

Incident Response

Defined P1-P4 incident severity levels with SLA response times. Dedicated on-call rotation, automated alerting via PagerDuty, and post-incident reports with root cause analysis published within 5 business days.

Vendor Risk Management

Third-party supplier assessments for all critical vendors (cloud, database, network, identity). Annual reviews with evidence of sub-contractor controls maintained in a live risk register.

Business Continuity

Documented BCP covering personnel, facilities, systems, and suppliers. Tested annually with walk-through and failover exercises. BCP summary available to enterprise customers and regulators on request.

Common Questions

Security & compliance answered.

Can we deploy Trustinera AI on-premise?

Yes. The full platform ships as Helm charts and can be deployed to air-gapped, on-premise, or private cloud Kubernetes clusters. All telemetry can be disabled for air-gapped environments.

Who has access to our financial data?

No Trustinera AI employee can access your transaction data without explicit authorisation through a break-glass access procedure, which is logged, alerted, and reviewed. All access is audited.

How is our data separated from other customers?

Data is isolated at the PostgreSQL schema and row-level security level. Each customer's data is scoped by a tenant ID enforced at the database layer — shared compute, fully isolated data.

Can we bring our own encryption keys?

Yes. Enterprise customers can provide their own KMS keys (AWS KMS, Azure Key Vault, Google Cloud KMS) via our BYOK programme. Key revocation immediately renders data inaccessible.

Is Trustinera AI suitable for FCA-regulated entities?

Yes. The platform is used by FCA-regulated payment institutions and e-money institutions. We can provide evidence packs for FCA supervisory requests and Consumer Duty assessments.

How do you handle data subject access requests?

The Audit module includes automated SAR tooling that locates, exports, and optionally redacts all data associated with a data subject across all Trustinera AI modules within 72 hours.

Security review

Request our full security pack — SOC 2 report, pen test summary, and data processing agreement.

Request Security Pack Talk to Compliance Team