UmergenceAI handles some of the most sensitive documents in finance — confidential information memoranda, limited partnership agreements, meeting transcripts, and financial statements. We built our security program to meet the same standards financial institutions have required from their technology providers for decades: encryption, access control, audit trails, and zero tolerance for unauthorized data use.
As a FINRA-registered broker-dealer, we are subject to direct regulatory oversight under the Gramm-Leach-Bliley Act (GLBA) and SEC Regulation S-P. Our security controls are not optional. They are legal obligations — and we treat them that way.
Have questions? Contact our security team: operations@umergence.com
Compliance and Certifications
GLBA / SEC Regulation S-P — Active
As a FINRA-registered broker-dealer, UmergenceAI is directly subject to GLBA and SEC Regulation S-P. We maintain a Written Information Security Plan (WISP), a designated Qualified Individual for our security program, formal risk assessment procedures, and incident response protocols meeting the updated Regulation S-P requirements effective June 2026.
FINRA Member — Active
UmergenceAI is a registered member of FINRA. Our platform design, supervisory procedures, and communications practices comply with applicable FINRA rules, including FINRA Rule 3110 (Supervision) and FINRA Rule 2210 (Communications with the Public).
SOC 2 Type II — In Progress
UmergenceAI is currently implementing the controls required for SOC 2 Type II certification. Our implementation roadmap (CO-085) maps to all five SOC 2 Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. We expect to engage an independent auditor. Customers may request our current control evidence package under NDA.
ISO/IEC 42001 AI Management System — Planned
We are designing our AI governance framework to align with ISO/IEC 42001:2023, the international standard for AI management systems. This positions us for certification as the standard matures.
CCPA / CPRA — Supported as Service Provider
UmergenceAI acts as a service provider under CCPA for customers subject to California privacy law. We support consumer rights requests (access, deletion, correction, portability) and provide a Data Processing Agreement incorporating CCPA service provider representations.
Data Encryption
Your data is encrypted at every stage of its lifecycle on our platform.
At Rest
All stored data — documents, meeting transcripts, embeddings, vector databases, and metadata — is encrypted using AES-256. Encryption keys are managed through a centralized Key Management Service with automatic 90-day rotation. Keys are never stored alongside encrypted data.
In Transit
All data in transit between your browser and our platform, between our internal services, and between our platform and AI model providers is protected using TLS 1.3. We disable all deprecated cipher suites and TLS versions below 1.2.
We run automated daily checks to verify TLS is active on all endpoints and alert our engineering team immediately if any endpoint is found without encryption. Behind the scenes, our security controls are defined in our Written Information Security Plan and regularly tested through a formal Information Security Risk Assessment. These internal documents guide how we design, review, and improve the safeguards summarized on this page.
Access Controls
Role-Based Access Control (RBAC)
Every user on UmergenceAI is assigned a role that determines what data they can see and what actions they can take. Analysts, managing directors, compliance officers, and external investors all have distinct permission profiles. Users cannot access data for deals or customers outside their authorized scope.
Multi-Factor Authentication (MFA)
MFA is required for all user accounts. We support authenticator apps and hardware security keys.
Single Sign-On (SSO)
Enterprise customers can connect their corporate identity provider (Google Workspace, Microsoft Entra, Okta) through SSO, centralizing credential management and enabling instant access revocation.
Tenant Isolation
Each customer's data is logically isolated at both the application and database layers. There is no pathway through normal platform operations by which one customer's data could be accessed by another customer's account.
Dynamic Permission Management
Administrators can adjust user permissions instantly — restricting access as deals move to sensitive phases, revoking access when team members change, or removing external investor access when a viewing window expires.
Data Handling
Your data is never used to train our models — or anyone else's.
Data you upload to UmergenceAI is processed solely to deliver analysis and insights to you. It is not used to train, fine-tune, benchmark, or improve any AI model. This commitment applies to all data processed through our platform and is enforceable by contract through our Data Processing Agreement. Our commitment not to use your data to train or fine-tune any AI models is documented in our Zero-Training Commitment Statement and in the Data Processing Agreement that we sign with enterprise customers. This means the promise you see here is also reflected in our contracts and internal controls.
Our AI model providers hold the same standard.
We use AI models from Anthropic, OpenAI, and Google through API access. Each provider has published or provided contractual commitments that data submitted via API is not used for model training. We verify these commitments as part of our vendor oversight program.
Retention and Deletion
Customer data is retained for the duration of the service relationship and any legally required period thereafter. Upon contract termination or written request, we delete customer data from our systems within 60 days and provide written certification of deletion.
Audit Trail and Transparency
Every action on UmergenceAI is logged. Our immutable audit trail records:
User Activity
Every login, document upload, search query, and action taken by a user on the platform — with timestamp, user identity, and IP address.
AI Interactions
Every AI analysis request, the model used, the version of that model, the data sources consulted, and the output generated. Consistent with FINRA 2026 expectations, we maintain records sufficient to reconstruct the reasoning chain for any AI-generated output.
Sharing Events
Every instance of a report or document being shared externally, including the identity of the recipient, the access window, and whether the recipient viewed the content.
Access Changes
Every modification to user permissions, including who made the change, when, and what changed.
Audit logs are retained for a minimum of five years, consistent with SEC Regulation S-P recordkeeping requirements. Logs are write-once and tamper-resistant. Enterprise customers may request an export of their audit logs at any time.
Vendor Security Oversight
We apply the same scrutiny to our sub-processors that we apply to ourselves. Our vendor oversight program includes:
Contract Requirements
Every sub-processor that handles customer data is required by contract to implement appropriate safeguards, notify us within 72 hours of any security incident affecting our customer data, not use customer data for model training, and allow us to audit their compliance with our requirements.
Security Review
Before engaging a new sub-processor, we review their SOC 2 reports, data processing terms, and relevant security certifications.
Model Version Tracking
For AI model providers, we maintain records of which model versions are active in our production environment and receive advance notice of material model changes that could affect output reliability.
Annual Review
We review our full vendor roster at least annually and before any material changes to our technology stack.
Current AI Model Sub-Processors: Anthropic (Claude), OpenAI (GPT-4o), Google (Gemini) — each engaged under API terms with no-training commitments. Full sub-processor list available upon request under NDA.
Incident Response
If a security incident ever affects your data, our Incident Response and Breach Notification Plan governs how we detect, investigate, contain, and notify you and relevant regulators. Our vendor contracts require our cloud and AI providers to support these obligations, including prompt breach notifications and strong security measures of their own.
We maintain a written Incident Response and Breach Notification Plan that is tested and updated at least annually. In the event of a security incident affecting your data:
48-Hour Internal Notice
We will notify your designated security contact within 48 hours of discovering a confirmed or reasonably suspected breach, even if our investigation is ongoing.
Regulatory Compliance
As a FINRA-registered broker-dealer subject to SEC Regulation S-P, we are required to notify the SEC within 72 hours of discovering a breach involving customer information. We will cooperate fully in any regulatory notification process and provide you with the information you need to fulfill your own notification obligations.
Customer Notification
We will provide you with the information required to notify affected customers within 30 days of discovery, consistent with Regulation S-P requirements.
To report a suspected security issue, contact: operations@umergence.com
Security Inquiries and Documentation Requests
For enterprise security teams conducting vendor assessments, we can provide the following documentation upon request and under NDA:
- Written Information Security Plan (WISP) — summary version
- Data Processing Agreement (DPA) template
- Sub-processor list
- SOC 2 control evidence package (current; full Type II report when available)
- Penetration testing summary (most recent)
- Incident response plan overview
Contact our security team: operations@umergence.com
For DPA and contract inquiries: operations@umergence.com