Wealth management runs on trust. So does Alcova.
Every control on this page exists because financial advice cannot tolerate sloppy handling of client information. Alcova is built, audited and operated to meet the standards Australian wealth firms expect, and to make it easy to prove it to your compliance team.
SOC 2 Type II
Independently audited against the security, availability and confidentiality trust services criteria. Our latest report is available under NDA.
Data resident in Australia
Your data is stored at rest exclusively in our cloud provider's Sydney region. We engineer for Australian wealth firms first, with the data-handling expectations to match.
Strong cryptography end-to-end
TLS 1.2 or higher protects every byte in transit. AES-256 protects every byte at rest, with per-firm encryption keys that cryptographically isolate every firm's client data.
Your client data lives in Sydney
Customer data is stored at rest exclusively in our cloud provider's Sydney region. Backups stay in Australia and are encrypted with the same controls as production data.
Where the act of delivering a feature reaches infrastructure outside Australia, your data stays inside our provider's private network, never traversing the public internet, and the result is returned to and stored in Sydney.
Every upstream provider in our data path contractually commits to a strict no-log, no-retain policy with respect to your data.
Our security posture
A concise, current view of how we protect your data across people, process and technology.
Encryption everywhere, by default
- TLS 1.2+ for all network traffic, including internal service-to-service communication.
- AES-256 encryption at rest for application databases, object storage and managed backups.
- Per-firm encryption keys cryptographically isolate every firm's client data. A compromise of one firm's key cannot expose another firm's data.
- Keys are managed by our cloud provider with rotation policies, strict separation of duties and full audit logging.
Least-privilege access, continuously enforced
- Role-based access controls govern every action a user or service can take.
- Multi-factor authentication is required for all Alcova personnel with access to production systems.
- Just-in-time elevation for sensitive operations, with full audit trails of who did what and when.
- You control which members of your team can see specific clients, meetings and AI-generated insights.
Built on Australian soil
- Primary data store is hosted in our cloud provider's Sydney (ap-southeast-2) region.
- Backups are kept within Australia and encrypted with the same controls as production data.
- Where any processing reaches outside Australia, it stays inside the provider's private network, never traversing the public internet, and the result is returned to Sydney.
- We only engage upstream providers that contractually commit to a strict no-log, no-retain policy with respect to your data.
Your data is never used to train models
- Your client data, calendar events, emails and meeting transcripts are never used to train Alcova's AI models or any third-party model.
- We disable training and abuse-monitoring data retention on every model provider we integrate with, in writing.
- AI inference is performed on a per-request basis; no inputs or outputs are retained by model providers beyond the immediate response.
- You can review the AI providers we use and the scope of data sent to each at any time.
Calendar and email access, minimally scoped
- Calendar access is required so Operator knows what is coming up and can prepare you for it. The scope is read-only.
- Email access is optional. When you enable it, Operator builds a working memory of client interactions and can draft emails on your behalf to save you time on follow-ups.
- Email content used for context is processed transiently. We store only the structured signal needed to make Operator useful, not raw inboxes.
- You can disconnect any workspace integration at any time from your account settings and revoke our access directly with the provider.
- Our use of Google Workspace data complies with the Google API Services User Data Policy, including the Limited Use requirements.
Continuous monitoring and rapid response
- Centralised logging and anomaly detection across application, infrastructure and identity layers.
- A documented incident response plan with defined roles, escalation paths and notification commitments to you.
- Regular vulnerability scanning, dependency monitoring and patching across our build and runtime environments.
- Annual penetration testing by an independent third party, with findings tracked through to remediation.
Security is part of how we work
- All personnel complete security and privacy training at onboarding and at least annually thereafter.
- Background checks are performed on every employee with access to production systems, where lawful.
- Formal policies cover acceptable use, change management, vendor risk, business continuity and data classification.
- Production access is granted on a need-to-know basis and reviewed on a recurring cadence.
A small, scrutinised set of subprocessors
- We keep our subprocessor list intentionally short. Every subprocessor is reviewed for security posture, data handling and regional fit before onboarding.
- All subprocessors are bound by data processing agreements that enforce confidentiality, security obligations and breach notification.
- Material changes to our subprocessor list are communicated in advance.
- We retain the right and the tooling to remove a subprocessor from the data path if their posture changes.
Audited, aligned and accountable
Independent verification of our controls and alignment with the regulatory frameworks Australian wealth firms operate under.
SOC 2 Type II
Independently audited controls covering security, availability and confidentiality.
Australian Privacy Principles
Operations aligned to the APPs under the Privacy Act 1988 (Cth).
Google API Services
Compliant with Google's Limited Use requirements for Workspace user data.
Our SOC 2 Type II report is available under NDA via our Trust Centre, where you can request access.
Report a vulnerability
If you believe you've found a security vulnerability in Alcova, we want to hear from you. Submit a detailed report, including reproduction steps where possible, through our Trust Centre. We acknowledge verified reports promptly and coordinate disclosure with the reporter.
Please do not perform testing that could degrade service for other firms, access data that isn't yours or violate any law. We will not pursue legal action against researchers who act in good faith and within the scope of this policy.
Common questions
Your data is stored at rest in our cloud provider's Sydney (ap-southeast-2) region. Backups remain within Australia and are encrypted with the same controls as production data.
No. Your client data, calendar events, emails and meeting transcripts are never used to train Alcova's models or any third-party model. We disable training and abuse-monitoring retention on every model provider we use, in writing.
All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256. Each firm has its own encryption keys, so client data is cryptographically isolated from every other firm on the platform. Keys are managed by our cloud provider with rotation policies, separation of duties and audit logging.
Calendar access is required and read-only. Email access is optional: enable it and Operator can use email context for briefings and notes, and draft emails on your behalf to save you time. You can review and revoke our access at any time from your workspace provider. For Google, visit myaccount.google.com/permissions.
Yes. Our SOC 2 Type II report is available via our Trust Centre at trust.alcova.ai, where you can request access under NDA.
Submit a report through our Trust Centre at trust.alcova.ai with a detailed description and, where relevant, reproduction steps. We respond to verified reports promptly and coordinate disclosure with the reporter.
Want the full security pack?
Subprocessor list, SOC 2 Type II report, penetration test summary and our standard DPA are available to qualified prospects and existing firms under NDA.
Visit our Trust Centre