Aloan

AI Data Security

How Aloan Uses AI Securely

Your loan data is never used to train AI models. AI processing runs through enterprise APIs with contractual data protection guarantees. Every document stays encrypted, isolated, and under your control.

AI Infrastructure

How Aloan Uses AI

Aloan's commercial underwriting platform uses AI to accelerate loan analysis: spreading financials, extracting and classifying documents, checking policy compliance, and generating credit memos.

AI processing is handled through enterprise API services from Google Cloud (Vertex AI) and Amazon Web Services (Bedrock). These are the same infrastructure providers used by the world's largest financial institutions.

Your loan data is never used to train AI models. Both Google Vertex AI and AWS Bedrock provide contractual guarantees that customer inputs and outputs are never used to train, improve, or fine-tune foundation models. Data is processed, results are returned, and no copy is retained by the model provider.

Data Handling

Data Handling & Privacy

Zero Data Training

Customer data is never used for AI model training. Google and AWS both provide this guarantee contractually.

Encryption

All data is encrypted in transit (TLS) and at rest. No exceptions.

Isolation

AI inference runs on private, isolated infrastructure. Model providers do not have access to customer data, prompts, or outputs.

Provider Access Controls

Both Google Cloud and AWS provide audit logging and access transparency. Model providers do not have access to customer accounts or data.

No Retention

AI providers do not retain customer inputs or outputs after processing. Aloan retains your data only as needed to provide the service, in accordance with our data retention policy.

Certifications

Compliance & Certifications

Aloan's AI inference providers — Google Cloud (Vertex AI) and AWS (Bedrock) — maintain the following certifications:

SOC 2 Type II

Independent audit of security controls, availability, and confidentiality (Google Cloud, AWS)

ISO 27001

International standard for information security management (Google Cloud, AWS)

FedRAMP

Federal Risk and Authorization Management Program (Google Cloud, AWS)

HIPAA

Health Insurance Portability and Accountability Act eligibility (Google Cloud, AWS)

GDPR

General Data Protection Regulation compliance (Google Cloud, AWS)

Regulatory Framework

Regulatory Alignment

Aloan's architecture is designed with banking regulatory expectations in mind:

FFIEC Guidance

Aligned with Federal Financial Institutions Examination Council guidance on technology risk management, including controls for third-party technology services, information security, and business continuity.

OCC 2023-17 — Third-Party Risk Management

Our vendor management documentation and security architecture are structured to support your OCC 2023-17 compliance requirements for third-party risk assessment, due diligence, and ongoing monitoring.

SR 11-7 — Model Risk Management

Aloan maintains full audit trails, source-document traceability, and human-in-the-loop review workflows that align with the Interagency Statement on Model Risk Management. Every AI output maps back to its source data for examiner verification.

Architecture

Secure Processing Pipeline

Bank users interact with the Aloan platform, which is hosted in the United States. When AI processing is needed, the platform makes encrypted API calls to Google Vertex AI or AWS Bedrock. Results are returned to the platform and presented to the user.

No data is stored by AI providers. No data is used for model training. No data is accessible to third parties. Your loan documents and financial data never leave the secure processing pipeline.

Bank Users
Aloan Platform (US-hosted)
Encrypted API Calls (TLS)
Google Vertex AI
AWS Bedrock

No data stored · No model training · No third-party access

Due Diligence

Vendor Due Diligence

Our security posture is built to support your vendor management process and withstand regulatory scrutiny. We can provide:

  • Penetration test results
  • Provider compliance certifications (SOC 2, ISO 27001)
  • Information security policies and procedures
  • Business continuity and disaster recovery documentation
  • Data flow diagrams and architecture documentation
  • Additional security detail upon request

Aloan does not monetize, share, or repurpose customer data in any way.

Schedule a Security Review

FAQ

Security & Compliance Questions

How does Aloan protect my loan data when using AI?
Aloan processes loan data through enterprise AI APIs from Google Cloud (Vertex AI) and Amazon Web Services (Bedrock). Your data is encrypted in transit and at rest, processed in isolated inference environments, and never retained by AI providers after processing. Both providers contractually guarantee that customer inputs and outputs are never used to train, improve, or fine-tune foundation models.
Is customer data used to train AI models?
No. Both Google Vertex AI and AWS Bedrock provide contractual guarantees that customer data is never used for model training. Data is processed, results are returned, and no copy is retained by the model provider. This is non-negotiable for Aloan — we selected providers specifically because of these guarantees.
Which AI providers does Aloan use?
Aloan uses Google Cloud Vertex AI and Amazon Web Services Bedrock for AI processing. These are enterprise API services — the same infrastructure providers used by the world's largest financial institutions. We do not use consumer-grade AI services or open-source models hosted on unvetted infrastructure.
What compliance certifications do Aloan's AI providers hold?
Aloan's AI inference providers - Google Cloud (Vertex AI) and AWS (Bedrock) - maintain SOC 2 Type II, ISO 27001, FedRAMP, HIPAA eligibility, and GDPR compliance certifications. We can provide documentation of our providers' certifications and our own security controls upon request.
How does Aloan align with banking regulations for AI use?
Aloan's architecture is designed with banking regulatory expectations in mind, including alignment with FFIEC guidance on technology risk management, OCC third-party risk management standards (OCC 2023-17), and the Interagency Statement on Model Risk Management (SR 11-7). Our documentation and audit trails are built to support examiner scrutiny.
Can AI providers access our loan documents or financial data?
No. AI inference runs on private, isolated infrastructure. Model providers do not have access to customer data, prompts, or outputs. Both Google Cloud and AWS provide audit logging and access transparency controls. Your loan documents never leave the secure processing pipeline.
How long does Aloan retain customer data?
AI providers do not retain customer inputs or outputs after processing. Aloan retains your data only as needed to provide the service, in accordance with our data retention policy. We do not monetize, share, or repurpose customer data in any way.
Can Aloan support our vendor due diligence process?
Yes. Our security posture is built to support your vendor management process and withstand regulatory scrutiny. We can provide documentation of our security controls, our providers' compliance certifications, and additional security detail upon request. Contact support@aloan.ai or schedule a security review to get started.

Questions About Security?

Contact us at support@aloan.ai or schedule a call to discuss your security requirements.