Security Overview

All data in transit is protected using TLS 1.3. All data at rest is encrypted using AES-256 with AWS KMS-managed keys. This applies to document storage (S3), database records (RDS PostgreSQL), and AI embeddings. Encryption key management is performed through AWS KMS with hardware security module (HSM) backing. Encryption standards are reviewed annually as part of our ISO 27001 risk assessment cycle.

Access to client data and platform resources is governed by a least-privilege, role-based access control (RBAC) model. Users are assigned one of four roles (Viewer, Analyst, Manager, Admin) with permissions scoped to their organisational context. Every API endpoint enforces organisation-level data isolation — users cannot access data belonging to any other organisation.

Authentication is provided through AWS Cognito with a minimum 12-character password policy and time-limited JWT session tokens. Multi-factor authentication (MFA) is mandatory for all developer and AWS infrastructure access. End-user MFA via TOTP is available and configurable per organisation.

All privileged access to production infrastructure is logged via AWS CloudTrail and subject to quarterly access review.

The production environment runs on AWS (eu-west-1, Ireland) within a dedicated VPC with strict security group policies. All Lambda functions and ECS services run within private subnets with no direct internet exposure. API access is routed through AWS API Gateway with JWT authorisation. AWS GuardDuty and AWS Security Hub provide continuous threat detection and compliance monitoring. Vulnerability scanning is conducted regularly, and penetration testing is performed annually by an independent third party.

All production infrastructure is hosted on AWS, which provides physical data centre security including 24/7 surveillance, biometric access controls, and environmental monitoring at its eu-west-1 (Ireland) and eu-west-2 (London) facilities. Physical security controls for AWS data centres are covered under AWS's own ISO 27001 certification and are carved out of our SOC 2 report as a subservice organisation. No client data is processed on any on-premise or co-located hardware operated by Transformation Diagnostics AI Limited.

All client data is processed and stored within the UK / European Economic Area. The primary AWS region is eu-west-1 (Ireland); S3 cross-region replication targets eu-west-2 (London) for resilience. AI inference via GCP Vertex AI uses europe-west1 (Ireland) and europe-west2 (London). No client data is transferred outside the UK/EEA.

Intriq AI undergoes annual independent security audits including:

• ISO 27001:2022 surveillance and recertification audits
• SOC 2 Type II examination by an independent AICPA-accredited auditor
• Annual penetration testing by a third-party security firm
• Continuous automated compliance scanning via Sprinto

We comply with the UK GDPR, EU GDPR, and Data Protection Act 2018. Our platform and data processing practices meet the requirements of both UK and EU data protection law. All client data is processed and stored within the UK/EEA, ensuring full territorial compliance.

Transformation Diagnostics AI Limited is registered with the UK Information Commissioner's Office (ICO Registration No. ZB724099). Our Data Protection Officer is contactable at dpo@intriq.ai. Data Processing Agreements (DPAs) are executed with all clients prior to onboarding as a condition of access.

A documented Incident Response Plan (IRP) is in place and tested annually. The plan defines classification, escalation, containment, notification, and post-incident review procedures. AWS GuardDuty, CloudWatch alarms, and Sentry are configured to alert on anomalous behaviour.

Confirmed data breaches are reported to the UK ICO within 72 hours in accordance with UK GDPR Article 33. Clients are notified within 24 hours of Intriq AI becoming aware of a breach affecting their data, followed by a full written incident report within 7 days.

All personnel complete security awareness training at onboarding and annually thereafter, delivered through our Sprinto-integrated training programme. Training covers data handling, access control, phishing awareness, incident reporting, and acceptable use. Background checks are conducted for all employees prior to engagement.

The Intriq AI platform processes sensitive financial documents on behalf of clients. Controls specific to the AI pipeline include:

• Client data is strictly isolated — no cross-organisation data sharing within AI processing pipelines
• AI model outputs and uploaded document content are never used to train, fine-tune, or benchmark any AI model — this is a contractual warranty in our Data Processing Agreement. AWS Bedrock and GCP Vertex AI process inference requests under zero-training terms.
• All AI inference is performed within the UK/EEA (GCP Vertex AI, eu-region endpoints)
• Human review workflows are available for all AI-generated outputs
• Output disclaimers are presented to users at the point of delivery

The platform targets 99.0% monthly uptime with a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour. Availability is monitored continuously via AWS CloudWatch and reported to clients. The full service level schedule is included in our Terms of Use.

Client documents and AI-generated outputs are retained for the duration of the engagement plus 7 years in accordance with UK statutory requirements. On account closure, personal data is deleted within 14 days of confirmation. Backup archives are purged within 90 days.

To report a security vulnerability or make an enquiry about our security programme, contact us at:

For the full SOC 2 Type II system description or to request a copy of the report, contact us at security@intriq.ai. DPO: dpo@intriq.ai