AlphaLoops is built with compliance and regulatory requirements at its core. Every task and operation is timestamped and logged. AI reasoning is captured, and tested against our proprietary truthfulness tests. We are SOC 2 Type II and GDPR compliant. Our security pack is available on request.
Customer data is logically isolated with per-tenant access controls, encryption keys, and audit trails. No cross-firm training, no shared inference cache, no off-tenant telemetry. Single-tenant and on-prem deployments are available for enterprise.
Every piece of outreach is approved by a named person and signed in the register. Every CRM update lands as a diff. Automatic action is not a feature we offer.
Every answer the platform gives carries its provenance — the email, the document, the prior conversation — back to the source.
The signed register isn't a report we generate on request. It's the by-product of normal operation. Compliance reads it. It is the artefact.
External audits and certifications, current as of Q2 2026. Detailed reports available under NDA via info@alphaloops.ai.
The short answers below cover the questions we hear in the first five minutes of every security review. The full security pack expands each of these.
Users can choose between two review modes: “manual” review, where every outbound message is individually approved by a human, or “format approval,” where a sample of generated messages is shown for review and the approved format is then applied automatically to all subsequent messages. There is no auto-send mode that skips review. Every CRM update appears as a diff with easy one-click revert.
Customer data is logically isolated at every layer — per-tenant access controls, encryption keys, and audit trails — so one firm's documents, conversations, and embeddings are never visible to another. UK customers can pin to UK data residency at provisioning; EU and US regions are also available.
Customer data is never used to fine-tune models for other tenants, and there is no shared inference cache across firms.
For enterprise customers, single-tenant deployments — dedicated database, dedicated object storage, dedicated embedding index — and on-prem or air-gapped options are available on request.
All of our models are hosted exclusively on secure Azure instances. Enterprise customers have the flexibility to choose which specific models are permitted for their deployment and to select their preferred region for model hosting. Private, air-gapped, and regional deployments are available according to your requirements.
A signed register of every outbound message, every CRM change, every approval — generated as it happens. Most compliance teams move to a weekly read of the register rather than a sample-rate audit; some run both for a quarter.
The register exports to signed PDF, raw JSON or the audit API.
A typical first-tenant rollout is six working days: tenant provisioning & SSO (day 1–2), CRM connector + field mapping (day 3–4), knowledge base ingestion and first drafts (day 5–6). Compliance review of the rollout itself usually adds a week.
Customer data is exported in your chosen format and erased from our systems within 30 days of contract end. We issue a signed certificate of destruction. Backup copies are erased within a further 60 days under documented procedure.
Two PDFs: the SOC 2 Type II report (under NDA) and the controls catalogue (open). We turn around the NDA in one working day.
