Security

Trust Is the Product

Qofi handles the most sensitive material in finance, deal-level workflows, institutional data, and the expertise of the people who produce them. Security is engineered into the network, the repo, and every deployment from day one.

Contact the Security Team

Compliance

Audited Against the Standards Institutions Require

SOC 2

CCPA

ISO 27001

GDPR

EU AI Act

Audit reports and certification details are available to clients and prospects under NDA.

Data Protection

Institutional-Grade Controls, End to End

Encryption Everywhere

Data encrypted in transit with TLS 1.2+ and at rest with AES-256. Keys are managed, rotated, and access-logged.

Client Data Is Never Training Data

Institutional data is used only for the engagement it serves. Nothing enters the repo or any training corpus without explicit contractual agreement.

Strict Tenant Isolation

Every institution's environment, data, and context are logically isolated. No commingling between clients, engagements, or workspaces.

Enterprise Access Controls

SSO and SAML, multi-factor authentication, role-based permissions, and least-privilege access, enforced for staff, operators, and clients alike.

Continuous Monitoring

Full audit logging, anomaly detection, and independent penetration testing on a recurring schedule, with findings remediated to deadline.

A Vetted Human Layer

Every operator in the gold-standard network is identity-verified, bound by NDA, and screened to project-specific institutional standards before touching any engagement.

Deployment

Inside the Institution's Perimeter

Deployments conform to the institution's security posture, not the other way around. The harness is model-agnostic and runs where the firm requires it.

Private Cloud and VPC Options

Single-tenant deployments inside the firm's own cloud perimeter, with data residency honored by region.

Model-Agnostic by Design

The harness works with the firm's approved model providers and existing data-processing agreements.

Governed and Auditable

Every agent action is logged, attributable, and reviewable, built for compliance teams and committees, not around them.

Trust Center

Security Controls

The controls that govern every Qofi deployment, grouped by domain. A full controls report and current audit attestations are available under NDA.

Infrastructure Security

Cloud infrastructure hosted with leading providers in audited, certified data centers.

Network segmentation, firewalls, and private networking isolate every environment.

Infrastructure changes are version-controlled, reviewed, and deployed through CI/CD.

Production is isolated from development and staging environments.

Automated backups with tested restore procedures.

Access Control

Role-based access control enforces least privilege across all systems.

Single sign-on and mandatory multi-factor authentication for all personnel.

Access is provisioned on a need-to-know basis and reviewed on a regular cadence.

Access is revoked promptly on role change or offboarding.

Privileged access requires additional approval and is time-bound.

Data Protection

Data encrypted in transit (TLS 1.2+) and at rest (AES-256).

Client data is logically isolated by tenant and never used as training data.

Retention and deletion follow documented policies and contractual terms.

Personal data is minimized and anonymized where possible.

Data-processing agreements govern every client engagement.

Monitoring & Logging

Centralized, tamper-evident audit logs across systems and deployments.

Continuous monitoring with alerting on anomalous activity.

Every model action in a deployment is attributable and reviewable.

Logs are retained per policy and protected from modification.

On-call rotation for security and availability incidents.

Application Security

Secure development lifecycle with mandatory code review.

Dependency scanning and static analysis run in the pipeline.

Independent penetration testing on a periodic basis.

A responsible-disclosure program for reporting vulnerabilities.

Vulnerabilities are triaged and remediated on a risk-based timeline.

Governance & Procedures

Documented information-security policies, reviewed and approved annually.

Personnel background checks and recurring security training.

Vendor risk reviews before onboarding third parties.

A documented incident-response plan, tested periodically.

Change-management procedures with approvals and rollback.

Controls shown are representative and PLACEHOLDER pending confirmation of Qofi's actual implementations and certifications. Request the full controls report at security@qofi.ai.

Trust Center

Security FAQ

Is client data ever used to train models?

No. Client data is logically isolated by tenant and is never used as training data. Data is processed only to deliver the contracted service, under the terms of the engagement.

Where is data hosted, and is it encrypted?

Infrastructure is hosted with leading cloud providers in audited, certified data centers. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), with keys managed in a dedicated vault.

Can Qofi deploy inside our environment?

Yes. Deployments conform to the institution’s security posture, including single-tenant and VPC options, and operate within the institution’s existing controls rather than around them.

What certifications and audits do you maintain?

Current attestations and audit reports are available under NDA on request. Compliance commitments and their status are confirmed directly with the security team, see the compliance badges above. (Certifications are placeholder pending confirmation.)

How do you handle access and offboarding?

Access follows least privilege with SSO and mandatory MFA, is provisioned on a need-to-know basis, reviewed on a regular cadence, and revoked promptly on role change or offboarding. Privileged access is time-bound and separately approved.

How do I report a vulnerability or request the controls report?

Report suspected vulnerabilities to security@qofi.ai through the responsible-disclosure program. The full controls report and current attestations are available from the same address under NDA.

Found a Vulnerability?

Qofi welcomes responsible disclosure. Reports are acknowledged within one business day and remediated on a committed timeline.

Report an Issue