Security & Trust
Security and trust at Aloan
Last updated: June 2026
Aloan is SOC 2 Type II certified. Your loan files are encrypted in transit and at rest, processed on infrastructure hosted in the United States, and never used to train AI models. The documentation your risk and vendor-management teams need is ready before you ask for it.
At a glance
The short version
The six things a credit, risk, or IT team checks first, answered up front. The detail behind each one is below.
SOC 2 Type II
Independent audit of Security, Availability, and Confidentiality controls across a full observation period, not a one-day snapshot.
Encryption everywhere
TLS 1.2 or higher in transit, AES-256 at rest. Every file and every extracted field.
US-hosted
The platform and your data sit on infrastructure hosted in the United States.
No AI training on your data
Customer inputs and outputs are never used to train, improve, or fine-tune any AI model. Guaranteed in writing.
Source traceability
Every number Aloan extracts maps back to the exact source page, so an examiner can verify the work.
Restricted access
Access to production systems and customer data is role-based, logged, and reviewed.
Certifications & audits
What we have been audited against
Aloan's platform
Aloan has completed an independent SOC 2 Type II audit of our platform, policies, and operational controls. A Type II report covers how those controls operate over an observation period, so it reflects how Aloan runs day to day rather than how it looked on the morning of the audit. The report is available to current and prospective customers under NDA through our Trust Center. For what a vendor-management team should verify inside the report itself, read the SOC 2 Type II guide for commercial lending AI.
Security, Availability, and Confidentiality trust services criteria, evaluated over an observation period by an independent auditor. Penetration test results sit alongside the report and are available under NDA as part of a vendor security review.
The infrastructure underneath
AI processing runs through enterprise APIs from Google Cloud (Gemini Enterprise) and Amazon Web Services (Bedrock). Each provider maintains its own independent certifications:
Independent audit of security, availability, and confidentiality controls
International standard for information security management
Federal Risk and Authorization Management Program
Health Insurance Portability and Accountability Act eligibility
General Data Protection Regulation compliance
Both providers are carved into Aloan's SOC 2 Type II boundary, so their controls are covered by our report
Carving the inference providers into Aloan's own SOC 2 boundary means their controls are reviewed inside our report, not handed to you as a separate problem. The SOC 2 Type II guide walks carve-in versus carve-out for a vendor-management team.
Data protection
How Aloan handles your loan data
Encryption in transit and at rest
Connections to the platform use TLS 1.2 or higher. Stored documents and extracted data are encrypted with AES-256.
US data residency and isolation
The platform and your data are hosted in the United States. AI inference runs in isolated environments. Model providers have no access to customer accounts, prompts, or outputs, and each institution's data is kept logically separate.
Access control and audit logging
Access to production systems and customer data is limited to the people who need it, granted by role, and logged. These controls are tested under the Security criterion of the SOC 2 Type II audit.
Retention and deletion
Under our provider contracts, inputs and outputs are not retained after a request is processed. Aloan keeps your data only as long as needed to provide the service, under our data retention policy, and removes it on request or at offboarding. We do not monetize, share, or repurpose customer data. See our privacy policy for the detail.
Source-document traceability
Every figure Aloan produces is traceable to the exact page it came from through the Data Fabric layer. That audit trail is what turns an AI output into something an examiner can verify line by line.
AI data security
The AI question, answered in full
The most common security question we get is whether putting loan files through AI means handing them to a model that learns from them. It does not. Aloan runs inference through enterprise APIs from Google Cloud (Gemini Enterprise) and AWS Bedrock, both of which guarantee in their contracts that customer inputs and outputs are never used to train, improve, or fine-tune foundation models. Data is processed, results come back, and no copy is kept.
The full architecture, the data flow from your team to the inference call and back, and the provider contractual terms are laid out on the AI data security page.
Read the AI data security deep diveRegulatory alignment
Built for bank and credit union oversight
Aloan is a vendor, not a regulated depository, so these standards apply to you. Our job is to give your risk and compliance teams documentation that maps cleanly to the frameworks an examiner will reference.
FFIEC technology and third-party risk guidance
Information security, vendor management, business continuity, and audit logging are structured to line up with FFIEC IT examination expectations.
OCC 2023-17: Third-party risk management
Our vendor documentation supports the due diligence, contracting, and ongoing monitoring stages of a third-party risk program. For the lifecycle walkthrough and a SOC 2 review checklist, read the OCC 2023-17 guide for AI underwriting vendors.
SR 11-7: Model risk management
Full audit trails, source-document traceability, and human review at every step align with the Interagency Statement on Model Risk Management. Every AI output maps back to its source data for validation. See the examiner readiness guide for how this holds up in an exam.
GLBA Safeguards Rule
Encryption, access controls, and a written information security program support your obligations to safeguard the nonpublic personal information in a borrower's file.
For your review file
What we hand your vendor-management team
A bank security review should not stall on a vendor who cannot produce documents. Aloan ships a pack built to drop straight into a third-party risk file:
- SOC 2 Type II report for Aloan, under NDA, through the Trust Center
- Penetration test results
- Sub-processor attestations for Google Cloud and AWS, with links to their trust portals (SOC 2 Type II, ISO 27001, FedRAMP)
- Data processing agreement with explicit zero-training language
- Information security policies and procedures
- Business continuity and disaster recovery documentation
- Architecture and data-flow diagrams
- Model documentation and the override audit-trail surface for your SR 11-7 inventory
Most of it is available the moment you ask, through the Trust Center. Anything else comes back from a short security review call.
Responsible disclosure
Reporting a security concern
If you believe you have found a vulnerability in Aloan, or you need our security documentation for a review, email support@aloan.ai. We take reports seriously, respond promptly, and keep you updated through resolution. Please give us a reasonable window to investigate and fix an issue before sharing it publicly.
FAQ
Security and compliance questions
Is Aloan SOC 2 Type II certified?
How does Aloan encrypt and store loan data?
Where is Aloan data hosted, and who runs the AI?
Is bank data safe when Aloan uses AI?
Can Aloan support our vendor due diligence and third-party risk process?
Does Aloan undergo penetration testing?
How does Aloan control access to customer data?
What banking regulations does Aloan align with?
Questions about security?
Email us at support@aloan.ai or schedule a call to walk your security requirements with us.