Security & Trust Centre
Security you can verify, not just read about
M&A documents are among the most sensitive a business ever produces. This page sets out exactly how Acquilens.ai protects them, what controls operate today, and what your security team can request.
Our position on certification
Acquilens.ai operates controls aligned to SOC 2, ISO 27001:2022 and ISO 42001. We do not yet hold independent certification against these frameworks — that work is on our roadmap. Today they shape how the platform is designed and run, and we describe our status honestly: what is fully operating, and what is documented and being rolled out.
Security standards at a glance
AI data governance
Confidentiality enforced by the architecture
Pseudonymised before any model sees it
Every document passes through our privacy pipeline first. Names, entities, and identifiers are stripped and replaced with pseudonymous tokens before a single character reaches an LLM. The models only ever process pseudonymised text.
Crypto-shredding — deletion you can prove
The map from pseudonymous tokens back to real names is encrypted with a key held only in our own infrastructure. Destroying that key renders the data permanently, mathematically irreversible — a deletion guarantee stronger than "we ran a delete query".
Never used to train a model
Our LLM provider’s commercial terms exclude training on your data. API data is retained only briefly for trust-and-safety purposes and then deleted; Zero Data Retention (immediate discard) is available and being enabled for our production workload.
Outputs are self-verified
Analysis passes through a Chain-of-Verification step that checks claims against source evidence before results reach you — reducing the risk of an unsupported statement being presented as fact.
One engagement never sees another
Every record carries a tenant identifier derived from a verified sign-in token; every query and every agent tool call is scoped to your tenant and deal. Isolation is enforced in code, not by convention.
How your data flows
Identifiers are removed before any external AI provider is involved. The highlighted stages run on pseudonymised text only.
Upload
You upload the data room
Extract
Text is extracted
Pseudonymise
Identifiers stripped + tokenised
Embed
Vectorised for retrieval
Analyse
25+ AI agents run
Reinject
Real names restored
Deliver
Results to you
Anthropic and Voyage AI see pseudonymised text only — never real names or the mapping that could restore them.
Control posture
An honest status for each control area. “In progress” means the policy is documented and rollout is underway — not that the control is absent.
AI Governance
Pseudonymisation, reinjection at output only, output verification, no-training terms
Access & Authentication
JWT-derived tenancy, MFA on all admin consoles, scoped + audit-logged impersonation
Multi-tenancy Isolation
Tenant-scoped data and tools, row-level-security backstop
Data Protection & Encryption
AES-256 at rest, TLS in transit, Fernet-encrypted mappings; retention policy being finalised
Sub-processor Assurance
Register maintained; annual review of provider SOC 2 / ISO reports underway
Logging & Monitoring
Application audit logging live; centralised error tracking and uptime monitoring rolling out
Change Management
PR-gated, CI-tested, append-only migrations; branch protection being enabled
Incident Response
Incident-response plan and AI incident playbook documented; first drill scheduled
Business Continuity
Backup and recovery controls being confirmed and restore-tested
Sub-processors
Who processes your data
We rely on a small set of vetted infrastructure and AI providers, each with their own independent security attestations. The complete, current list — with purpose, region, and data categories — is published and kept up to date.
View the sub-processor register →Available to your security team under NDA
- Security whitepaper
- Security questionnaire (SIG-Lite, mapped to SOC 2 & ISO 27001)
- Sub-processor register
- Data Processing Addendum (DPA)
- Incident response summary
- Architecture & data-flow walkthrough
Questions from your IT or risk team?
For security questionnaires, architecture walkthroughs, DPA requests, or a detailed look at any control on this page, we’re happy to work directly with your team.
Talk to us