Security & Trust Centre

Security you can verify, not just read about

M&A documents are among the most sensitive a business ever produces. This page sets out exactly how Acquilens.ai protects them, what controls operate today, and what your security team can request.

Our position on certification

Acquilens.ai operates controls aligned to SOC 2, ISO 27001:2022 and ISO 42001. We do not yet hold independent certification against these frameworks — that work is on our roadmap. Today they shape how the platform is designed and run, and we describe our status honestly: what is fully operating, and what is documented and being rolled out.

Security standards at a glance

Data isolationPer-engagement environments
EncryptionAES-256 at rest · TLS 1.3 in transit
Access controlRole-based, audit-logged
Data retentionDeleted post-engagement on request
Model trainingYour data is never used
LLM data retentionNot retained for training; ZDR available
PII handlingPseudonymised before processing
Certification pathISO 27001:2022 · SOC 2 Type II

AI data governance

Confidentiality enforced by the architecture

Pseudonymised before any model sees it

Every document passes through our privacy pipeline first. Names, entities, and identifiers are stripped and replaced with pseudonymous tokens before a single character reaches an LLM. The models only ever process pseudonymised text.

Crypto-shredding — deletion you can prove

The map from pseudonymous tokens back to real names is encrypted with a key held only in our own infrastructure. Destroying that key renders the data permanently, mathematically irreversible — a deletion guarantee stronger than "we ran a delete query".

Never used to train a model

Our LLM provider’s commercial terms exclude training on your data. API data is retained only briefly for trust-and-safety purposes and then deleted; Zero Data Retention (immediate discard) is available and being enabled for our production workload.

Outputs are self-verified

Analysis passes through a Chain-of-Verification step that checks claims against source evidence before results reach you — reducing the risk of an unsupported statement being presented as fact.

One engagement never sees another

Every record carries a tenant identifier derived from a verified sign-in token; every query and every agent tool call is scoped to your tenant and deal. Isolation is enforced in code, not by convention.

How your data flows

Identifiers are removed before any external AI provider is involved. The highlighted stages run on pseudonymised text only.

Upload

You upload the data room

Extract

Text is extracted

Pseudonymise

Identifiers stripped + tokenised

Embed

Vectorised for retrieval

Analyse

25+ AI agents run

Reinject

Real names restored

Deliver

Results to you

Anthropic and Voyage AI see pseudonymised text only — never real names or the mapping that could restore them.

Control posture

An honest status for each control area. “In progress” means the policy is documented and rollout is underway — not that the control is absent.

AI Governance

Pseudonymisation, reinjection at output only, output verification, no-training terms

Implemented

Access & Authentication

JWT-derived tenancy, MFA on all admin consoles, scoped + audit-logged impersonation

Implemented

Multi-tenancy Isolation

Tenant-scoped data and tools, row-level-security backstop

Implemented

Data Protection & Encryption

AES-256 at rest, TLS in transit, Fernet-encrypted mappings; retention policy being finalised

In progress

Sub-processor Assurance

Register maintained; annual review of provider SOC 2 / ISO reports underway

In progress

Logging & Monitoring

Application audit logging live; centralised error tracking and uptime monitoring rolling out

In progress

Change Management

PR-gated, CI-tested, append-only migrations; branch protection being enabled

In progress

Incident Response

Incident-response plan and AI incident playbook documented; first drill scheduled

In progress

Business Continuity

Backup and recovery controls being confirmed and restore-tested

In progress

Sub-processors

Who processes your data

We rely on a small set of vetted infrastructure and AI providers, each with their own independent security attestations. The complete, current list — with purpose, region, and data categories — is published and kept up to date.

View the sub-processor register →

Available to your security team under NDA

  • Security whitepaper
  • Security questionnaire (SIG-Lite, mapped to SOC 2 & ISO 27001)
  • Sub-processor register
  • Data Processing Addendum (DPA)
  • Incident response summary
  • Architecture & data-flow walkthrough
Request the security pack

Questions from your IT or risk team?

For security questionnaires, architecture walkthroughs, DPA requests, or a detailed look at any control on this page, we’re happy to work directly with your team.

Talk to us