Compliance
How Scalata keeps customer data secure, private, and governed — and how our AI is built to be transparent and auditable for regulated financial workflows.
1. Our approach to compliance
Scalata is built for regulated finance. Compliance and data governance aren't features bolted on afterward — they're core to how the platform is designed, from permissions and auditability to how AI outputs are grounded and traced.
Throughout, our customers stay in control of their data, models, and workflows, and every material action on the platform is attributable and reviewable.
2. Certifications & standards
Scalata's security program is designed and operated to meet the SOC 2 Trust Services Criteria — security, availability, and confidentiality.
- SOC 2: Our controls are independently examined against the SOC 2 Trust Services Criteria. The current report is available to customers and prospects under NDA on request.
- Ongoing assurance: Controls are reviewed and tested on a regular basis, including through third-party audits.
3. Data security
Customer Data is protected with industry-standard controls at every layer.
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Isolation & access: Segregated cloud environments, role-based access controls, and least-privilege access to Customer Data.
- Auditing: Regular third-party audits and continuous monitoring of the environment.
- Incident response: Any security incident impacting Customer Data is reported to the affected customer within 24 hours.
4. Privacy & data protection
We align our data-handling practices with the privacy and financial-services regulations that apply to our customers.
- GDPR: For EU/EEA and UK personal data, we support data-subject rights and make a Data Processing Agreement (DPA) available on request.
- CCPA: We honor California consumer rights, including the “Right to Know” and “Right to Delete”.
- Financial services: We commit to comply with GLBA and New York Department of Financial Services (NYDFS) requirements, and emerging federal and state privacy and AI laws.
- Data-subject requests: Customers and, where applicable, data subjects may request access, correction, or deletion of personal data stored within the platform.
For full detail on what we collect and how it's used, see our Privacy Policy and Cookie Policy.
5. Responsible AI & governance
Because Scalata is an AI platform for high-stakes financial work, responsible-AI controls are built into the product.
- Traceability: Answers are grounded in your data and cited, so every output can be traced back to its source — built to reduce hallucination and support audit.
- Human in the loop: For high-stakes outputs, customers retain the obligation and the tooling to review and validate before acting.
- Model transparency: Where AI is used for decision-making, we provide disclosures so customers understand its functionality, limits, and intended use.
- Governance by design: Permissions, access controls, and a full activity record make it possible to see what every human and digital worker does on the platform.
6. Customer data ownership
- You own your data: Customers retain all rights to the data they submit. We receive only a limited license to use it to deliver the Services.
- Used only to serve you: Customer Data is never sold, monetized, or used for purposes beyond the agreed service delivery.
- Portability: On termination, customers may request export or deletion of their data, subject to verification and any outstanding obligations.
7. Sub-processors & third parties
We use a limited set of vetted sub-processors to operate the platform. A current list of sub-processors is available to customers on request. Where the platform is integrated with third-party services chosen by the customer, the customer is responsible for compliance obligations arising from that use.
8. Reporting a security concern
If you believe you've found a security vulnerability or have a compliance question, please contact us at info@scalata.ai. To request our SOC 2 report, a DPA, or a sub-processor list, reach out to the same address and we'll follow up.