Enterprise-grade security for regulated industries
Housing associations handle sensitive tenant data. CRE firms manage confidential deal terms. We built our security posture for the most demanding requirements in both sectors.
Certifications & audits
Independently verified, continuously maintained
SOC 2 Type II
In progress
Our systems and controls follow SOC 2 standards for security, availability and confidentiality. Reports will be available to customers and prospective customers under NDA once a formal audit is issued.
UK GDPR
Aligned
We process personal data in alignment with the UK GDPR and EU GDPR, with Data Protection Impact Assessments conducted for high-risk processing activities. Privacy queries are handled via privacy@unify.
Independent Penetration Testing
by CyberCrowd
Our infrastructure and applications are independently penetration tested. Findings are remediated promptly and re-tested to confirm closure; full reports are available under NDA.
How we protect your data
Security by design, not by afterthought
UK / EU Data Residency
Our production data plane runs in the European Union under UK GDPR safeguards. UK-only data residency is available as a per-customer deployment configuration on request. Your data never leaves the geography we agree with you in the deployment schedule.
Encryption in Transit and at Rest
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 — the same standards used by financial institutions. Encryption keys are managed through a dedicated key management service with automatic rotation.
Per-Customer Isolation
A multi-tenant production data plane with strict row-level scoping. Per-customer isolation is enforced at the application layer; cross-customer access is prevented by design and verified through code review, automated tests, and access logging.
Role-Based Access Controls
Granular permissions ensure that users only access the data and functions relevant to their role. For organisations with information barriers (e.g., Chinese walls in CRE advisory), access controls enforce strict separation between teams.
Audit Logging
Privileged actions and customer-data access within the platform are logged with full attribution — who did what, when, and on which data. Logs are retained per our Operations Security Policy and made available on request for incident investigations and customer audits.
Zero Data Training
We do not use your data to train, fine-tune or improve AI models — ever. Your documents, conversations and outputs remain exclusively yours. This is contractual, not just a policy statement.
Built for your sector
Security that understands your regulations
For Housing Associations
Tenant Data Protection
AI interactions with tenants follow the same identity verification protocols as your human advisors. Personal data is only shared after verification, and all tenant interactions are logged for audit purposes.
Awaab's Law Compliance Trail
Every damp and mould report, investigation and remediation action is timestamped and logged, providing a complete evidence trail to demonstrate compliance with statutory timeframes.
RSH Consumer Standards
Our governance framework supports housing providers in meeting the Regulator of Social Housing's transparency requirements around AI-assisted service delivery.
For Commercial Real Estate
Deal Confidentiality
Information barriers between teams are enforced at the platform level. Confidential deal data is siloed so that no information leaks between advisory mandates, even within the same firm.
Client Data Separation
Each client portfolio's data is isolated within your environment. Cross-client analytics are only possible where explicitly configured and authorised by your compliance team.
Financial Regulatory Alignment
Our platform supports compliance with FCA requirements for firms handling investment advice, including record-keeping, audit trails and data retention policies.
Frequently asked questions
Security questions from procurement teams
Where is our data stored and processed?
Our production data plane runs in the European Union by default. UK-only data residency is available as a per-customer deployment configuration on request. Your data never leaves the geography we agree with you, and we can provide data residency documentation for your procurement and compliance teams.
Do you use our data to train AI models?
No — categorically and contractually. We do not use customer data for model training, fine-tuning, benchmarking or any other purpose beyond delivering the service to you. This commitment is in our Data Processing Agreement, not just a policy page.
Can we get a copy of your SOC 2 report?
We are working towards SOC 2 Type II covering the Security, Availability and Confidentiality Trust Services Criteria. Once issued, the report will be available to customers and prospective customers under NDA. In the meantime, our security pack and completed security questionnaire responses are available on request.
How do you handle a data breach?
We have a documented incident response plan with defined escalation procedures. We notify the relevant supervisory authority without undue delay and within 72 hours of becoming aware of a personal-data breach (UK GDPR Article 33). Affected customers are notified without undue delay under the Data Processing Agreement, and we provide a full incident report and remediation plan.
Can your staff access our data?
Access to customer data is restricted to a minimal number of authorised personnel, only when required for support or incident resolution, and only with your explicit permission. All access is logged, time-limited and auditable.
Do you support SSO and MFA?
Yes. The platform supports OAuth / OIDC-based authentication with Google and Microsoft Azure AD identity providers; customer-specific SSO requirements are handled during onboarding. MFA can be enforced at the identity-provider level. Internally, all Unify staff access is gated on Google Workspace SSO with mandatory 2-step verification.
Can we complete a security questionnaire or DPIA?
Absolutely. We regularly complete CAIQ, SIG, HECVAT and bespoke security questionnaires. We also provide a Data Protection Impact Assessment template pre-filled with our processing details to accelerate your review.
What about sub-processors?
We maintain a public list of sub-processors at unify.ai/sub-processors, refreshed whenever an addition or removal lands. All sub-processors are contractually bound to the same data protection standards we offer our customers, and enterprise customers receive advance-notice updates of changes under their Data Processing Agreement.
Questions about security?
Our team is happy to walk through our security posture, share our SOC 2 report, or complete your security questionnaire.