Enterprise-grade security for regulated industries
Housing associations handle sensitive tenant data. CRE firms manage confidential deal terms. We built our security posture for the most demanding requirements in both sectors.
Certifications & audits
Independently verified, continuously maintained
SOC 2 Type II
Compliant
Our systems and controls are independently audited to meet SOC 2 Type II standards for security, availability, processing integrity and confidentiality. Reports are available to enterprise customers under NDA.
GDPR
Compliant
We process personal data in full compliance with the UK GDPR and EU GDPR. Data Protection Impact Assessments are conducted for all high-risk processing activities. Our DPO is available to answer any data protection queries.
Penetration Tested
by CyberCrowd
Our infrastructure and applications undergo regular penetration testing by independent security firm CyberCrowd. Findings are remediated promptly and re-tested to confirm resolution.
Cyber Essentials
Certified
We hold Cyber Essentials certification, the UK government-backed scheme that demonstrates our commitment to protecting against the most common cyber threats.
How we protect your data
Security by design, not by afterthought
UK Data Residency
All customer data is processed and stored within UK data centres. For organisations with specific jurisdictional requirements, we offer regional data residency options across the UK and EU. Your data never leaves the geography you specify.
End-to-End Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 — the same standards used by financial institutions. Encryption keys are managed through a dedicated key management service with automatic rotation.
Single-Tenant Isolation
Every customer environment is fully isolated. Your data, your models, your configurations are never shared with other customers. There is zero risk of data crossover — by design, not by policy.
Role-Based Access Controls
Granular permissions ensure that users only access the data and functions relevant to their role. For organisations with information barriers (e.g., Chinese walls in CRE advisory), access controls enforce strict separation between teams.
Audit Logging
Every action within the platform is logged with full attribution — who did what, when, and on which data. Logs are immutable, retained per your policy requirements, and available for export to your SIEM or compliance systems.
Zero Data Training
We do not use your data to train, fine-tune or improve AI models — ever. Your documents, conversations and outputs remain exclusively yours. This is contractual, not just a policy statement.
Built for your sector
Security that understands your regulations
For Housing Associations
Tenant Data Protection
AI interactions with tenants follow the same identity verification protocols as your human advisors. Personal data is only shared after verification, and all tenant interactions are logged for audit purposes.
Awaab's Law Compliance Trail
Every damp and mould report, investigation and remediation action is timestamped and logged, providing a complete evidence trail to demonstrate compliance with statutory timeframes.
RSH Consumer Standards
Our governance framework supports housing providers in meeting the Regulator of Social Housing's transparency requirements around AI-assisted service delivery.
For Commercial Real Estate
Deal Confidentiality
Information barriers between teams are enforced at the platform level. Confidential deal data is siloed so that no information leaks between advisory mandates, even within the same firm.
Client Data Separation
Each client portfolio's data is isolated within your environment. Cross-client analytics are only possible where explicitly configured and authorised by your compliance team.
Financial Regulatory Alignment
Our platform supports compliance with FCA requirements for firms handling investment advice, including record-keeping, audit trails and data retention policies.
Frequently asked questions
Security questions from procurement teams
Where is our data stored and processed?
All data is stored and processed in UK data centres by default. We offer EU data residency as an alternative. Your data never leaves the geography you specify, and we can provide data residency documentation for your procurement and compliance teams.
Do you use our data to train AI models?
No — categorically and contractually. We do not use customer data for model training, fine-tuning, benchmarking or any other purpose beyond delivering the service to you. This commitment is in our Data Processing Agreement, not just a policy page.
Can we get a copy of your SOC 2 report?
Yes. Our SOC 2 Type II report is available to customers and prospective customers under NDA. Contact us and we'll share the latest report along with our penetration test summary and security questionnaire responses.
How do you handle a data breach?
We have a documented incident response plan with defined escalation procedures. In the event of a breach affecting customer data, we notify affected customers within 72 hours (in line with UK GDPR requirements), provide a full incident report, and work with you to mitigate any impact.
Can your staff access our data?
Access to customer data is restricted to a minimal number of authorised personnel, only when required for support or incident resolution, and only with your explicit permission. All access is logged, time-limited and auditable.
Do you support SSO and MFA?
Yes. We support SAML and OIDC-based SSO, including integration with Azure AD, Okta, Google Workspace and other identity providers. MFA is available and can be enforced at the organisation level.
Can we complete a security questionnaire or DPIA?
Absolutely. We regularly complete CAIQ, SIG, HECVAT and bespoke security questionnaires. We also provide a Data Protection Impact Assessment template pre-filled with our processing details to accelerate your review.
What about sub-processors?
We maintain a current list of sub-processors, available on request. All sub-processors are contractually bound to the same data protection standards, and we notify customers in advance of any changes to our sub-processor list.
Questions about security?
Our team is happy to walk through our security posture, share our SOC 2 report, or complete your security questionnaire.