Trust
Trust by architecture, not by promise.
Audit-readiness, GoBD/IFRS/SOX coverage, EU residency, ISO 27001, Zero Training Policy — all consequences of how the Reconciliation Layer is built.
The detail your security, audit, and tax teams need lives in the Trust Center Package.
ISO 27001
EU hosted
Zero Training
Audit-Ready by Design
100% line-item · immutable trail
Compliance Coverage
GoBD · IFRS · SOX · BEPS
Security Architecture
AES-256 · TLS 1.3 · SSO · SCIM
EU Data Residency
Frankfurt · SCCs pre-executed
Zero Training Policy
Customer data never used to train
Deployment Flexibility
SaaS · Single-Tenant · BYOC · On-Prem
Trust Center Package
Everything your security and legal teams need
The Trust Center Package collects the documentation typically requested in enterprise security and procurement reviews. Request once, share with your team. Updated quarterly.
Single request, full package: ISO 27001 certificate, DPA + SCCs, sub-processor list, penetration test summary, SOC 2 Type II readiness letter, architecture brief, EU AI Act readiness documentation, Customer Data Lifecycle and Incident Response details.
ISO 27001 Certificate
Full certificate + audit scope
DPA + Standard Contractual Clauses
EU 2021 SCCs · pre-executed
Sub-Processor List
Updated quarterly
Penetration Test Summary
Annual 3rd-party test · executive summary
Architecture Brief
Technical document for IT/Audit
EU AI Act Readiness Documentation
Classification posture · obligations mapping
Customer Data Lifecycle & Incident Response
Retention · deletion · DSGVO Art. 15–22 · IR posture
Section 01 · Pillar 03 anchor
Audit-readiness as a byproduct, not an extra task
Every matching decision logged immutably — rule, model, timestamp, user, confidence, rationale. Sampling is structurally replaced with 100% line-item coverage. The audit evidence the auditor receives is pre-populated, immutable, and at the line item — sampling becomes a validation exercise, not a coverage exercise.
100%
Line-item coverage
Every match populated, every exception raised on the day it appears. No sampling, no post-hoc reconstruction.
−30 to −50%
Year-end audit time
Continuous monitoring at the transaction level stands in for sampled audits. Auditor receives evidence on day one, not last day.
Big-4 ready
External-auditor walk-through
Walk-through calls with Big-4 engagement teams are routine — including for US-listed customers in your industry profile.
Full audit walk-through · ICFR control description · ISO 27001 certificate available in the Trust Center Package →
Compliance posture
GoBD, IFRS, SOX, BEPS — one integrated audit trail
The reconciliation engine produces compliance evidence as a byproduct. The full standards mapping, certificates and documentation packages live in the Trust Center Package.
ISO 27001
Information Security Management System · third-party audited
Certified
GoBD
Ordnungsmäßigkeit · Nachvollziehbarkeit · Unveränderbarkeit · platform layer
Covered
IFRS 10 · HGB §297
Group consolidation · IC elimination evidence
Covered
SOX Sec. 404
ICFR posture · deterministic-first matching · immutable trail
Covered
BEPS Action 13 · §90 AO
Transfer-pricing documentation · transaction-level evidence
Covered
GDPR · DPA + SCCs
EU 2021 Standard Contractual Clauses · pre-executed
Pre-executed
EU AI Act
High-risk readiness documentation · positioned to meet obligations on classification
Documented
Certificates, control description, audit-scope details and compliance attestations available in the Trust Center Package →
Security architecture
Enterprise-grade security from day one
Encryption, identity, and continuous validation built in — not retrofitted. The detail and the third-party reports live in the Trust Center Package.
Data protection & encryption
Production data encrypted at rest with AES-256-GCM via Cloud KMS. Data in transit uses TLS 1.3 with HSTS enforced on every endpoint. DLP content scanning runs before any model invocation.
AES-256-GCM
TLS 1.3
Cloud KMS
DLP at inference
Access control & identity
RBAC at workspace and Flow level. SSO via SAML 2.0 / OIDC with native Azure AD, Okta, Google Workspace integration. SCIM provisioning end-to-end. Phishing-resistant MFA required for every user.
SAML 2.0 · OIDC
SCIM
RBAC per RECON
WebAuthn · Passkey
Penetration testing & logging
Annual third-party penetration test with summary report. Immutable audit logging captures every system event, every model interaction, every administrative action — retrievable on demand.
Annual 3rd-party test
Immutable logging
Summary in Package
Data sovereignty
Data stays in the EU. By default. By architecture.
Production data hosted exclusively in europe-west3 (Frankfurt) — no cross-border transfer under standard configuration. Backup and disaster-recovery infrastructure are also EU-resident.
Frankfurt · europe-west3 by default
All production data hosted in the EU. Standard configuration involves no cross-border data transfer.
Dedicated EU enclave option
For customers with data-localisation mandates: a dedicated EU processing enclave with full tenant isolation.
SCCs & DPA pre-executed
EU 2021 Standard Contractual Clauses ready to sign. Works Council / Betriebsrat consultation supported with pre-prepared documentation.
Never used for training
Customer data is never used to train, fine-tune, or improve any model — own or third-party. Contractual in the DPA.
Tenant-isolated inference
No cross-tenant learning. Architecturally enforced isolation between customers, validated by the same audit log that covers reconciliation matches.
Auditable model invocations
Every model call logged — when, by whom, on what data. Available to internal audit and external auditors under NDA.
Strategic differentiation anchor
Your data is never used to train models.
Zero Training Policy — contractually guaranteed in the DPA, applied to all third-party LLM providers. Tenant-scoped inference, no cross-tenant learning, architecturally enforced.
Deployment models
Four deployment models. One Layer.
From SaaS to fully air-gapped on-premise. Scoped to your security and operational requirements. Detail and architecture brief in the Trust Center Package.
Multi-Tenant SaaS
Default deployment
Shared infrastructure with full tenant isolation. The fastest path to value.
4–6 wk go-live
per Flow
Single-Tenant SaaS
Dedicated infrastructure
For customers with isolation requirements. Same architecture, isolated stack.
99.95% SLA
Dedicated
BYOC · Bring Your Own Cloud
In your cloud account
Deploy the platform into your own GCP, Azure, or AWS environment. Your data never leaves your cloud.
GCP
Azure
AWS
On-Premise
Air-gap capable
Helm Chart deployment for the most regulated environments. No cloud connectivity required.
Helm
Air-gap
Regulated
Validate the business case on your data