Independent reports and entity details.
The SOC 2 report is available to customers, prospects and due-diligence reviewers after approval.
| Entity | Finlogica AI Pty Ltd · ACN 691 803 817 |
|---|---|
| Domicile | Australia · Melbourne, Victoria |
| Report | SOC 2 — Security, Confidentiality and Availability |
| Auditor | Prescient Security · AICPA SOC for Service Organisations |
| Supporting evidence | Maintained for procurement, risk and governance review |
| Access model | Approval required before report download |
Questions your diligence team should be able to answer.
A practical mirror of the questions risk, compliance, security and procurement teams typically ask when assessing an AI workflow for regulated advice. Click any topic to see the questions.
Data managementWhere data lives, how long it is retained, and how it is removed.
- Where is data stored and processed?
- What data is retained and for how long?
- Can data be deleted on request?
Access and auditHow user access is controlled and how the file can be reconstructed later.
- Are RBAC, MFA and least privilege supported?
- Are file-level actions logged?
- Can the file be reconstructed later?
Model boundaryWhat inference service is used, and how model and prompt change is governed.
- Which inference service is used?
- Is client data used for training?
- Are model and prompt changes governed?
IntegrationHow inputs and outputs move through the firm's existing environment.
- Can intake use secure email or folder?
- Is API integration available?
- Does the workflow avoid another adviser desktop?
Incident readinessHow incidents are detected, escalated and notified.
- How are incidents detected and escalated?
- What customer notifications apply?
- What BCP / DR evidence is available?
Operational controlsHow changes are approved, exceptions are reviewed and pilot performance is measured.
- How are changes approved?
- How are exceptions reviewed?
- How is pilot performance measured?
Controls mapped to the core assurance themes.
Access, authentication, change
SSO / SAML / MFA, RBAC, least privilege, change control and vulnerability management.
Data protection and segregation
Encryption, customer-tenant segregation, Australian PII residency and no external model training on client data.
Monitoring, recovery, resilience
Production monitoring, backup and recovery procedures, incident response and disaster recovery testing.
Audit-ready records
Inputs, checks, reviewer notes, outputs and approval history retained against the file.
How customer and end-client data flows through Finlogica.
| Inputs | Fact-find data, portfolio data, scope letters and adviser instructions are received through controlled email, secure shared folder or API integration. |
|---|---|
| Processing | PII is extracted, structured and processed within Australian-hosted production controls. Calculation steps run deterministically outside the language model. |
| Inference | Language-model inference is constrained to AWS Bedrock. No client data is routed outside the Bedrock service boundary. |
| Outputs | Adviser-ready advice packs are returned through the same controlled channel as inputs. Run-level evidence is retained against the file. |
| Training | Customer data is not used to train, fine-tune or improve any foundation model. |
Secure when configured. Standard email is not in scope.
What "secure intake" means at Finlogica
- Inbound and outbound TLS enforcement
- Sender authentication via SPF, DKIM and DMARC alignment
- Encrypted-attachment handling and file-type whitelisting
- Content scanning and data-loss-prevention rules
- Mailbox access controls, MFA and audit logging
- Retention and disposal aligned to customer record-keeping obligations
Customers preferring stronger separation can use the secure shared-folder option or the API integration layer instead.
Material sub-processors and their roles.
| Sub-processor | Role | Region |
|---|---|---|
| AWS | Cloud infrastructure, AI processing through AWS Bedrock, storage and networking | Australia (ap-southeast-2) |
| Model providers via Bedrock | Foundation-model inference within the Bedrock service boundary | AWS Bedrock region |
| Productivity suite | Internal communications, identity and document collaboration | Australia |
| Security tooling | Logging, monitoring and vulnerability scanning | Australia / customer-aligned |
Business continuity and disaster recovery posture.
| Backup | Customer data backed up on a continuous basis with periodic snapshots retained per the customer's configured retention policy. |
|---|---|
| Recovery | Documented recovery procedures with target RPO and RTO disclosed to customers under NDA. |
| Testing | Annual disaster-recovery exercise. Findings are recorded and remediated. |
| Incident response | Documented incident-response procedure including customer and OAIC notification where required. |
Diligence materials for qualified prospects.
Released to qualified customer, prospect and due-diligence reviewers under NDA.
Independent report available after approval.
Material service providers, role and region.
Data flow, model boundary and high-level deployment model.
Configuration notes for secure email and folder workflows.
Escalation, notification and operating procedures.
Continuity, backup, recovery and testing posture.